Arbitrary file upload in Joomla! Project Cms
CVE-2025-22213
Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.
Vulnerability class: Unrestricted File Upload
EPSS: 0.005 (36.1th percentile) — read the EPSS interpretation.
Affected products
- Joomla! Project Cms — versions 4.0.0-4.4.11, 5.0.0-5.2.4
Weakness classification (CWE)
References
- security@joomla.org (vendor-advisory)