• Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.0.0 through 3.6.4
  • Exploit type: Shell Upload
  • Reported Date: 2016-October-26
  • Fixed Date: 2016-December-06
  • CVE Number: CVE-2016-9836


Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.6.4


Upgrade to version 3.6.5


The JSST at the Joomla! Security Centre.

Reported By: Xiphos Research Ltd.