Security Announcements
-
[20260712] - Core - Incorrect Access Control in com_fields webservice endpoints
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
- Exploit type: Incorrect Access Control
- Reported Date: 2026-05-05
- Fixed Date: 2026-07-07
- CVE Number: CVE-2026-48958
Description
An improper access check allows unauthorized users to create custom fields via webservices endpoints.Affected Installs
Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1
Solution
Upgrade to version 5.4.7, 6.1.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Federico Brasili -
[20260711] - Core - Incorrect Access Control in com_privacy webservice endpoints
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
- Exploit type: Incorrect Access Control
- Reported Date: 2026-06-12
- Fixed Date: 2026-07-07
- CVE Number: CVE-2026-48957
Description
An improper access check allows unauthorized users to access com_privacy datasets.Affected Installs
Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1
Solution
Upgrade to version 5.4.7, 6.1.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Himanshu Anand -
[20260710] - Core - Incorrect Access Control in com_modules
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
- Exploit type: Incorrect Access Control
- Reported Date: 2026-05-22
- Fixed Date: 2026-07-07
- CVE Number: CVE-2026-48956
Description
An improper access check allows users to display a list of modules in the frontend.Affected Installs
Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1
Solution
Upgrade to version 5.4.7, 6.1.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Warisjeet Singh (sin99xx) -
[20260709] - Core - Incorrect Access Control in com_workflow
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 6.0.0-6.1.1
- Exploit type: Incorrect Access Control
- Reported Date: 2026-04-22
- Fixed Date: 2026-07-07
- CVE Number: CVE-2026-48955
Description
An improper access check allows unauthorized users to access workflow stage and transition information.Affected Installs
Joomla! CMS versions 6.0.0-6.1.1
Solution
Upgrade to version 6.1.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: 廖双 -
[20260708] - Core - XSS through language overrides
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 3.0.0-5.4.6,6.0.0-6.1.1
- Exploit type: XSS
- Reported Date: 2026-05-15
- Fixed Date: 2026-07-07
- CVE Number: CVE-2026-48954
Description
Improper validation leads to a generic XSS vector in the language override feature.Affected Installs
Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.1
Solution
Upgrade to version 5.4.7, 6.1.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Morris Baumgarten-Egemole