Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
AnalysisAI
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.
Technical ContextAI
The vulnerability resides in the Joomla! Update (com_joomlaupdate) component, which handles automatic system updates via a dedicated autoupdate server mechanism. The root cause is classified as CWE-73 (External Control of File Name or Path), indicating that the component fails to properly validate or sanitize user-supplied input before using it in file system operations. Without proper input validation, an attacker can craft malicious requests to the autoupdate mechanism that cause the server to delete arbitrary files from the filesystem, rather than restricting deletion to intended temporary or cache files. This weakness in path validation allows traversal or manipulation of file references beyond the intended scope.
RemediationAI
Apply the security patch released by the Joomla! Project as documented in their official Security Centre advisory (https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html). The patch adds proper input validation to the com_joomlaupdate component to sanitize and restrict file paths used in deletion operations. Administrators should immediately update to the patched version available through the Joomla! update mechanism or download it directly from the official Joomla! website. As a temporary workaround prior to patching, consider restricting network access to the autoupdate mechanism if it is not actively required, or implementing file-level access controls to limit the impact of potential file deletion attempts.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17861
GHSA-m9qp-xh66-cmcx