PT-2026-29505 · Unknown · Autoupdate Server
Phil Taylor
·
Published
2026-04-01
·
Updated
2026-06-07
·
CVE-2026-23898
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Joomla! versions prior to v2.18.0
Description
A lack of input validation in the autoupdate server mechanism allows for arbitrary file deletion. Attackers can bypass input validation by supplying crafted file paths, potentially leading to the deletion of arbitrary files on the web server filesystem with web server privileges. Approximately 125.5k+ instances are identified globally.
Recommendations
Update to version 2.18.0 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Autoupdate Server