Joomla! Issues Security Patch: Critical File Deletion and Webservice Flaws Exposed
Ddos 
Joomla! CMS has released a series of critical security updates to address two high-severity vulnerabilities—CVE-2026-23898 and CVE-2026-23899—both carrying a CVSSv4 score of 8.6.
These flaws strike at the heart of the platform’s update and API mechanisms, potentially allowing attackers to dismantle site integrity or access restricted data.
The first vulnerability, CVE-2026-23898, resides within the com_joomlaupdate component. Due to a fundamental lack of input validation in the autoupdate server mechanism, an attacker could trigger the deletion of arbitrary files on the server.
By deleting critical configuration files or security-related scripts, an attacker could:
- Crash the Website: Remove essential system files to cause an immediate denial of service.
- Bypass Protections: Delete security plugins or .htaccess files to pave the way for a more intrusive secondary attack.
The second threat, CVE-2026-23899, involves an improper access check within Joomla’s webservice endpoints.
Webservices are designed to allow external applications to interact with the CMS, but they are supposed to be strictly guarded. This vulnerability allows unauthorized access to these endpoints, effectively letting unauthenticated users peek behind the curtain at data or functions that should be reserved for administrators.
These vulnerabilities affect nearly all modern versions of the CMS.
- Affected Installs: Joomla! CMS versions 4.0.0 through 5.4.3, and 6.0.0 through 6.0.3.
- The Solution: Administrators are urged to upgrade to version 5.4.4 or 6.0.4 immediately to close these security holes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
