Skip to main content

This Is Not a Fire on the Far Shore - Security Alerts Across Joomla Core and Major Extensions

| Alaudae.JP

Within the space of 48 hours, the Joomla ecosystem has seen a series of announcements that deserve more than a glance. These are not routine maintenance notes. If you operate a Joomla site, this is something to verify today.

On July 7, 2026, the Joomla Project released Joomla 6.1.2 and 5.4.7, a security and bugfix release containing twelve security fixes: six cross-site scripting (XSS) issues and six cases of incorrect access control. Notably, several of the access control flaws sit in Web Services API endpoints (com_media, com_privacy, com_fields). If your site exposes the Joomla API, treat this update as urgent.

The following day, July 8, JCE Editor 2.9.99.9 was published. The release itself addresses, among other things, RPC requests being wrongly blocked as false positives by Cloudflare OWASP managed rules and the Imunify WAF. But it arrives on the heels of a rapid series of hardening releases that closed serious holes, including unauthenticated profile uploads and a path traversal in the file browser. For JCE users, staying on the very latest build is no longer optional. It is the baseline.

Official announcements exist for both. Do not take this article's word for it - check the sources yourself and act:

  • Joomla 6.1.2 & 5.4.7: https://www.joomla.org/announcements/release-news/5955-joomla-6-1-2-5-4-7-security-bugfix-release.html
  • JCE Editor changelog: https://www.joomlacontenteditor.net/support/changelog/editor

And then there is the graver matter. SP Page Builder, one of the most popular page builders for Joomla, has a confirmed vulnerability (CVE-2026-48908) that allows an unauthenticated attacker to upload a file and achieve remote code execution. It scores the maximum 10.0 on CVSS 4.0. All versions up to and including 6.6.1 are affected; the fix, 6.6.2, has been available since June 14. It is being actively exploited: attackers have been observed planting web shells under /media/com_sppagebuilder/ and creating fake Super Administrator accounts with email addresses ending in @secure.local. The truly chilling detail: a site was attackable even if not a single page built with the component was ever published, and even if the component was disabled. Installed was enough.

The same class of flaw has been confirmed in Page Builder CK (CVE-2026-56290): an unauthenticated upload leading to remote code execution, also rated 10.0, also exploited in the wild, fixed in version 3.6.0.

Neither of these is a novel technique. An upload endpoint that skips its authentication check is one of the oldest and best-known failure patterns in web security. And the easier and more popular an extension is, the larger its installed base - which is exactly the size of the attack surface. The only question that matters is whether the containment of vulnerabilities keeps pace with the popularity.

There is one more shift worth naming: AI. On vendor forums, users now openly report finding further flaws through AI-assisted static analysis of the source code. If researchers can find holes with AI, so can attackers. Discovery and weaponization are both accelerating beyond anything we are used to. For better or worse, whether these fires get extinguished quickly now depends on whether developers and site operators can move at that same speed.

This is not a fire on the far shore. Automated attacks do not check whether your site is corporate or personal, commercial or a hobby, before they strike. If the component is installed, you are on the list.

One final point: an update is prevention, not cleanup. If a site was already breached, patching removes neither the web shells nor the fake administrators. At minimum: review your administrator user list, search your upload directories for PHP files you do not recognize, and if you find any trace of intrusion, rotate every credential - administrator passwords, database passwords, API keys. Only then is the fire actually out.

In the end, the only way to stop a vulnerability - no, a security hole - from spreading is the daily, unglamorous work of gathering information. That is not paranoia. It is, I believe, the minimum duty of anyone who invites visitors in.