Alert GCSA-26096 - Aggiornamento di sicurezza per Joomla!
1em; margin-right: 1em; text-align: center;">
******************************************************************
Alert ID: GCSA-26096 data: 29 maggio 2026 titolo: Aggiornamento di sicurezza per Joomla! ****************************************************************** :: Descrizione del problema E' stata rilasciata una nuova versione del CMS Joomla! con la quale vengono corrette varie vulnerabilita' di sicurezza, delle quali tre con gravita' "critica" e quattro con gravita' "alta". [20260501] - Core - XSS in feed modules [20260502] - Core - XSS in com_associations [20260503] - Core - XSS in com_contenthistory [20260504] - Core - XSS in readmore links [20260505] - Core - CSRF in user activation endpoint [20260506] - Core - Authenticated blind SQLi in com_finder [20260507] - Core - Authenticated blind SQLi in com_tags [20260508] - Core - Improper access check in com_config webservice endpoints [20260509] - Core - LFI in HTMLView layout parameter [20260510] - Core - Path traversal in com_media webservice endpoint [20260511] - Core - MFA Authentication Bypass [20260512] - Core - MFA Authentication Bypass [20260513] - Core - Privilege escalation through com_users batch task [20260514] - Core - Privilege escalation through com_users webservice endpoints [20260515] - Core - Incorrect Access Control in sample data plugins [20260516] - Core - Incorrect Access Control in com_scheduler [20260517] - Core - Incorrect Cache Key Construction for InputFilter objects [20260518] - Core - Transport encryption downgrade for password and username reset links [20260519] - Framework - Inadequate content filtering within the checkAttribute filter code [20260520] - Framework - Inadequate content filtering within the cleanAttributes filter code Maggiori dettagli sono disponibili alla sezione "Riferimenti". :: Software interessato Joomla! versioni precedenti alla 5.4.6 Joomla! versioni precedenti alla 6.1.1 :: Impatto Bypass delle funzionalita' di sicurezza (SFB) SQL Injection (SQLi) Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Acquisizione di privilegi piu' elevati (EoP) Accesso a dati riservati (ID) :: Soluzioni Aggiornare alle versioni piu' recenti (5.4.6 o 6.1.1) https://downloads.joomla.org/ https://downloads.joomla.org/latest https://downloads.joomla.org/cms/joomla6/ :: Riferimenti Joomla! Release News https://www.joomla.org/announcements/release-news/5954-joomla-6-1-1-5-4-6-security-bugfix-release.html Joomla! Security Announcements https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html https://developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistory.html https://developer.joomla.org/security-centre/1036-20260504-core-xss-in-readmore-links.html https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint.html https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html Mitre CVE I riferimenti CVE sono disponibili nell'advisory originale. GARR CERT Security Alert - subscribe/unsubscribe: http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert -----BEGIN PGP SIGNATURE----- iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCahlPGQAKCRDBnEyTZRJg QmY0AJ9q+cTGBctMBm0tunc/nZLVMImgwQCgoBsbrg3hv+Mj9enfCOaHYea2EKo= =O1RQ -----END PGP SIGNATURE-----
Alert ID: GCSA-26096 data: 29 maggio 2026 titolo: Aggiornamento di sicurezza per Joomla! ****************************************************************** :: Descrizione del problema E' stata rilasciata una nuova versione del CMS Joomla! con la quale vengono corrette varie vulnerabilita' di sicurezza, delle quali tre con gravita' "critica" e quattro con gravita' "alta". [20260501] - Core - XSS in feed modules [20260502] - Core - XSS in com_associations [20260503] - Core - XSS in com_contenthistory [20260504] - Core - XSS in readmore links [20260505] - Core - CSRF in user activation endpoint [20260506] - Core - Authenticated blind SQLi in com_finder [20260507] - Core - Authenticated blind SQLi in com_tags [20260508] - Core - Improper access check in com_config webservice endpoints [20260509] - Core - LFI in HTMLView layout parameter [20260510] - Core - Path traversal in com_media webservice endpoint [20260511] - Core - MFA Authentication Bypass [20260512] - Core - MFA Authentication Bypass [20260513] - Core - Privilege escalation through com_users batch task [20260514] - Core - Privilege escalation through com_users webservice endpoints [20260515] - Core - Incorrect Access Control in sample data plugins [20260516] - Core - Incorrect Access Control in com_scheduler [20260517] - Core - Incorrect Cache Key Construction for InputFilter objects [20260518] - Core - Transport encryption downgrade for password and username reset links [20260519] - Framework - Inadequate content filtering within the checkAttribute filter code [20260520] - Framework - Inadequate content filtering within the cleanAttributes filter code Maggiori dettagli sono disponibili alla sezione "Riferimenti". :: Software interessato Joomla! versioni precedenti alla 5.4.6 Joomla! versioni precedenti alla 6.1.1 :: Impatto Bypass delle funzionalita' di sicurezza (SFB) SQL Injection (SQLi) Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Acquisizione di privilegi piu' elevati (EoP) Accesso a dati riservati (ID) :: Soluzioni Aggiornare alle versioni piu' recenti (5.4.6 o 6.1.1) https://downloads.joomla.org/ https://downloads.joomla.org/latest https://downloads.joomla.org/cms/joomla6/ :: Riferimenti Joomla! Release News https://www.joomla.org/announcements/release-news/5954-joomla-6-1-1-5-4-6-security-bugfix-release.html Joomla! Security Announcements https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html https://developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistory.html https://developer.joomla.org/security-centre/1036-20260504-core-xss-in-readmore-links.html https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint.html https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html Mitre CVE I riferimenti CVE sono disponibili nell'advisory originale. GARR CERT Security Alert - subscribe/unsubscribe: http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert -----BEGIN PGP SIGNATURE----- iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCahlPGQAKCRDBnEyTZRJg QmY0AJ9q+cTGBctMBm0tunc/nZLVMImgwQCgoBsbrg3hv+Mj9enfCOaHYea2EKo= =O1RQ -----END PGP SIGNATURE-----