Security

  2. Home
  3. News
  4. Security

Security Announcements

  • [20260301] - Core - ACL hardening in com_ajax

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Moderate
    • Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: Incorrect Access Control
    • Reported Date: 2026-03-11
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21629

    Description

    The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

    Affected Installs

    Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  JSST

  • [20260302] - Core - SQL injection in com_content articles webservice endpoint

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Probability: Moderate
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: SQLi
    • Reported Date: 2026-03-05
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21630

    Description

    Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

  • [20260303] - Core - XSS vector in com_associations comparison view

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: XSS
    • Reported Date: 2026-03-11
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21631

    Description

    Lack of output escaping leads to a XSS vector in the multilingual associations component

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

  • [20260304] - Core - XSS vectors in various article title outputs

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: XSS
    • Reported Date: 2026-03-10
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21632

    Description

    Lack of output escaping for article titles leads to XSS vectors in various locations.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  peter vanderhulst

  • [20260305] - Core - Arbitrary file deletion in com_joomlaupdate

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: High
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: Arbitrary File Deletion
    • Reported Date: 2026-03-16
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-23898

    Description

    Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Phil Taylor

  • [20260306] - Core - Improper access check in webservice endpoints

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: High
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: Incorrect Access Control
    • Reported Date: 2026-03-09
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-23899

    Description

    An improper access check allows unauthorized access to webservice endpoints.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Phil Taylor

  • [20260101] - Core - Inadequate content filtering for data URLs

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions: 4.0.0-5.4.1, 6.0.0-6.0.1
    • Exploit type: XSS
    • Reported Date: 2025-11-14
    • Fixed Date: 2026-01-06
    • CVE Number: CVE-2025-63082

    Description

    Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.1, 6.0.0-6.0.1

    Solution

    Upgrade to version 5.4.2 or 6.0.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Sho Sugiyama of SUZUKI MOTOR CORPORATION

  • [20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions: 3.9.0-5.4.1, 6.0.0-6.0.1
    • Exploit type: XSS
    • Reported Date: 2025-09-29
    • Fixed Date: 2026-01-06
    • CVE Number: CVE-2025-63083

    Description

    Lack of output escaping leads to a XSS vector in the pagebreak and pagenavigation plugins.

    Affected Installs

    Joomla! CMS versions 3.9.0-5.4.1, 6.0.0-6.0.1

    Solution

    Upgrade to version 5.4.2 or 6.0.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  peterhulst

  • [20250901] - Core - Inadequate content filtering within the checkAttribute filter code

    • Project: Joomla! / Joomla! Framework
    • SubProject: CMS / filter
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
    • Exploit type: XSS
    • Reported Date: 2025-08-03
    • Fixed Date: 2025-09-30
    • CVE Number: CVE-2025-54476

    Description

    Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3

    Solution

    Upgrade to version 4.4.14 or 5.3.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Flydragon, Poi, Cwy, Xtrimi

  • [20250902] - Core - User-Enumeration in passkey authentication method

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Probability: Low
    • Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
    • Exploit type: User Enumeration
    • Reported Date: 2025-09-04
    • Fixed Date: 2025-09-30
    • CVE Number: CVE-2025-54477

    Description

    Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3

    Solution

    Upgrade to version 4.4.14 or 5.3.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Marco Schubert

Upcoming Events

Facebook Page

Joomla! User Group Jeddah

Copyright © 2018-2026 Joomla! User Group Jeddah. All rights reserved. Developed by Moussa Solutions.