Vulnerability in Joomla! Project Cms

CVE-2026-23898

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

EPSS: 0.000 (0.0th percentile) — read the EPSS interpretation.

Affected products

Joomla! Project Cms — versions 4.0.0-5.4.3, 6.0.0-6.0.3

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion… (vendor-advisory)