CVE-2026-23898 HIGH

CVE-2026-23898: Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate

Vendor Joomla! Project

Product Joomla! CMS

Weakness CWE-73

Published April 1, 2026

Last update April 2, 2026

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Key dates

April 1, 2026 CVE published

April 2, 2026 Record updated

CVE CVE-2026-23898

CWE CWE-73

CVSS 8.6 / HIGH

Vendor Joomla! Project

Product Joomla! CMS

Affected 4.0.0-5.4.3

Vendor Joomla! Project

Product Joomla! CMS

Affected 6.0.0-6.0.3