Arbitrary file upload in Joomla! Project Cms

CVE-2025-22213

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

Vulnerability class: Unrestricted File Upload

EPSS: 0.005 (36.1th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

References