• Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.8.8
  • Exploit type: LFI
  • Reported Date: 2018-April-23
  • Fixed Date: 2018-June-26
  • CVE Number: CVE-2018-12712


Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.8.8


Upgrade to version 3.8.9


The JSST at the Joomla! Security Centre.

Reported By: Davide Tampellini