Skip to main content

Joomla Cms CVE-2026-23898

| EUVDEUVD-2026-17861 HIGH
External Control of File Name or Path (CWE-73)
2026-04-01 Joomla GHSA-m9qp-xh66-cmcx
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 10:00 euvd
EUVD-2026-17861
Analysis Generated
Apr 01, 2026 - 10:00 vuln.today
CVE Published
Apr 01, 2026 - 09:03 nvd
HIGH 8.6

DescriptionCVE.org

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

AnalysisAI

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.

Technical ContextAI

The vulnerability resides in the Joomla! Update (com_joomlaupdate) component, which handles automatic system updates via a dedicated autoupdate server mechanism. The root cause is classified as CWE-73 (External Control of File Name or Path), indicating that the component fails to properly validate or sanitize user-supplied input before using it in file system operations. Without proper input validation, an attacker can craft malicious requests to the autoupdate mechanism that cause the server to delete arbitrary files from the filesystem, rather than restricting deletion to intended temporary or cache files. This weakness in path validation allows traversal or manipulation of file references beyond the intended scope.

RemediationAI

Apply the security patch released by the Joomla! Project as documented in their official Security Centre advisory (https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html). The patch adds proper input validation to the com_joomlaupdate component to sanitize and restrict file paths used in deletion operations. Administrators should immediately update to the patched version available through the Joomla! update mechanism or download it directly from the official Joomla! website. As a temporary workaround prior to patching, consider restricting network access to the autoupdate mechanism if it is not actively required, or implementing file-level access controls to limit the impact of potential file deletion attempts.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

CVE-2026-23898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy