Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN347 _____________________________________________________________________ DATE : 01/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Joomla! Core versions prior to 5.4.4, 6.0.4. ===================================================================== https://developer.joomla.org/security-centre/1027-20260301-core-acl-hardening-in-com-ajax.html https://developer.joomla.org/security-centre/1028-20260302-core-sql-injection-in-com-content-articles-webservice-endpoint.html https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html https://developer.joomla.org/security-centre/1030-20260304-core-xss-vectors-in-various-article-title-outputs.html https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html https://developer.joomla.org/security-centre/1032-20260306-core-improper-access-check-in-webservice-endpoints.html _____________________________________________________________________ Security Announcements [20260301] - Core - ACL hardening in com_ajax Project: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Moderate Versions: 3.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: Incorrect Access Control Reported Date: 2026-03-11 Fixed Date: 2026-03-31 CVE Number: CVE-2026-21629 Description The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers. Affected Installs Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: JSST _____________________________________________________________________ Security Announcements [20260302] - Core - SQL injection in com_content articles webservice endpoint Project: Joomla! SubProject: CMS Impact: High Severity: Low Probability: Moderate Versions: 4.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: SQLi Reported Date: 2026-03-05 Fixed Date: 2026-03-31 CVE Number: CVE-2026-21630 Description Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint. Affected Installs Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack _____________________________________________________________________ Security Announcements [20260303] - Core - XSS vector in com_associations comparison view Project: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Low Versions: 4.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: XSS Reported Date: 2026-03-11 Fixed Date: 2026-03-31 CVE Number: CVE-2026-21631 Description Lack of output escaping leads to a XSS vector in the multilingual associations component Affected Installs Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke _____________________________________________________________________ Security Announcements [20260304] - Core - XSS vectors in various article title outputs Project: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Low Versions: 4.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: XSS Reported Date: 2026-03-10 Fixed Date: 2026-03-31 CVE Number: CVE-2026-21632 Description Lack of output escaping for article titles leads to XSS vectors in various locations. Affected Installs Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: peter vanderhulst _____________________________________________________________________ Security Announcements [20260305] - Core - Arbitrary file deletion in com_joomlaupdate Project: Joomla! SubProject: CMS Impact: High Severity: High Probability: Low Versions: 4.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: Arbitrary File Deletion Reported Date: 2026-03-16 Fixed Date: 2026-03-31 CVE Number: CVE-2026-23898 Description Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. Affected Installs Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: Phil Taylor _____________________________________________________________________ Security Announcements [20260306] - Core - Improper access check in webservice endpoints Project: Joomla! SubProject: CMS Impact: High Severity: High Probability: Low Versions: 4.0.0-5.4.3, 6.0.0-6.0.3 Exploit type: Incorrect Access Control Reported Date: 2026-03-09 Fixed Date: 2026-03-31 CVE Number: CVE-2026-23899 Description An improper access check allows unauthorized access to webservice endpoints. Affected Installs Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3 Solution Upgrade to version 5.4.4 or 6.0.4 Contact The JSST at the Joomla! Security Centre. Reported By: Phil Taylor ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================