[20260305] – Core – Arbitrary file deletion in com_joomlaupdate

• Project: Joomla!
• SubProject: CMS
• Impact: High
• Severity: High
• Probability: Low
• Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
• Exploit type: Arbitrary File Deletion
• Reported Date: 2026-03-16
• Fixed Date: 2026-03-31
• CVE Number: CVE-2026-23898

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor