Joomla Core Flaws Expose Webservice Endpoints and Enable Arbitrary File Deletion
Joomla disclosed two high-severity core vulnerabilities affecting its platform: CVE-2026-23898, an input-validation flaw in the com_joomlaupdate autoupdate server mechanism that can lead to arbitrary file deletion, and CVE-2026-23899, an improper access-control issue in webservice endpoints that can permit unauthorized access. Both issues are remotely exploitable over the network with low attack complexity, according to the published CVSS v4.0 vectors.
The file-deletion bug is mapped to CWE-73 and the webservice issue to CWE-284. Joomla said both vulnerabilities carry high potential impact across confidentiality, integrity, and availability, while requiring high privileges, and published separate security advisories through its developer portal. The disclosures indicate risk to core Joomla deployments that rely on the affected update and webservice functionality, making patch review and access-control validation a priority for administrators.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Joomla publishes security advisories for CVE-2026-23898 and CVE-2026-23899
Joomla published security advisory references documenting both vulnerabilities. The advisories describe the flaws, including the arbitrary file deletion risk in com_joomlaupdate and the improper access control issue in webservice endpoints.
Joomla receives reports for CVE-2026-23898 and CVE-2026-23899
Joomla's security team received two new vulnerability reports on April 1, 2026: CVE-2026-23898, an arbitrary file deletion issue in the autoupdate server mechanism caused by insufficient input validation, and CVE-2026-23899, an improper access check affecting webservice endpoints that could allow unauthorized access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-23898 - Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate
cvefeed.io
Open sourceCVE-2026-23899 - Joomla! Core - [20260306] - Improper access check in webservice endpoints
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Public Exploits Surface for Unauthenticated File Inclusion Flaws in Joomla and WordPress Plugins
Researchers disclosed multiple file inclusion vulnerabilities affecting popular CMS extensions, including the **Tassos/Novarain Framework** for Joomla and the **Kubio AI Page Builder** plugin for WordPress. SSD Secure Disclosure reported flaws in the Joomla framework, while a GitHub proof-of-concept tied to `CVE-2026-21627` described an unauthenticated arbitrary PHP file inclusion issue in the `ajaxTaskInclude()` function of `plg_system_nrframework`, potentially allowing attackers to load unintended server-side files without logging in. Separately, several GitHub repositories published exploit material for `CVE-2025-2294`, an unauthenticated local file inclusion vulnerability affecting **Kubio AI Page Builder** versions `<= 2.5.1`. The repeated publication of public exploit code for both CMS ecosystems lowers the barrier to opportunistic attacks, particularly against internet-exposed Joomla and WordPress sites that have not patched or removed vulnerable components.
May 25, 2026
CISA Flags Actively Exploited JCE Joomla Plugin RCE
CISA added **CVE-2026-48907** to its Known Exploited Vulnerabilities catalog after reports of active exploitation against the Widget Factory **Joomla Content Editor (JCE)** plugin. The maximum-severity improper access control flaw lets unauthenticated attackers create new editor profiles and then upload and execute PHP code, resulting in remote code execution on vulnerable Joomla sites. The KEV update raised the catalog total to 1,622 entries and set a federal remediation deadline of **2026-06-19** under **BOD 26-04**. Vendor and media reporting said the issue affects JCE versions **1.0.0 through 2.9.99.4**, with fixes released in **2.9.99.5** and later, including **JCE Pro 2.9.99.6**. The JCE team also issued a free patch for older sites and warned that public exploit code is available, attacks are automated, and sites without public registration can still be targeted. Security reporting noted that applying the update blocks the initial access path but does not remove any persistence, web shells, or malware that attackers may already have deployed on compromised servers.
Jun 19, 2026
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
Mar 21, 2026