Joomla! Security News

  • [20260301] - Core - ACL hardening in com_ajax

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Moderate
    • Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: Incorrect Access Control
    • Reported Date: 2026-03-11
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21629

    Description

    The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

    Affected Installs

    Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  JSST

  • [20260302] - Core - SQL injection in com_content articles webservice endpoint

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Probability: Moderate
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: SQLi
    • Reported Date: 2026-03-05
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21630

    Description

    Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

  • [20260303] - Core - XSS vector in com_associations comparison view

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: XSS
    • Reported Date: 2026-03-11
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21631

    Description

    Lack of output escaping leads to a XSS vector in the multilingual associations component

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

  • [20260304] - Core - XSS vectors in various article title outputs

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: XSS
    • Reported Date: 2026-03-10
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-21632

    Description

    Lack of output escaping for article titles leads to XSS vectors in various locations.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  peter vanderhulst

  • [20260305] - Core - Arbitrary file deletion in com_joomlaupdate

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: High
    • Probability: Low
    • Versions:4.0.0-5.4.3, 6.0.0-6.0.3
    • Exploit type: Arbitrary File Deletion
    • Reported Date: 2026-03-16
    • Fixed Date: 2026-03-31
    • CVE Number: CVE-2026-23898

    Description

    Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

    Affected Installs

    Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

    Solution

    Upgrade to version 5.4.4 or 6.0.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Phil Taylor