CVE-2026-40383

Vulnerability

A local file inclusion (LFI) vulnerability exists in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 [1]. The bug resides in the htmlview component where the layout parameter is insufficiently validated before being used to include files. An attacker can supply a malicious layout value containing path traversal sequences, allowing inclusion of arbitrary local files from the server's filesystem [1].

Exploitation

An attacker must have at least low-privilege access (e.g., a registered user account) to the Joomla! site, or the vulnerability may be triggerable via a front-end request depending on the specific view configuration [1]. The attack does not require special network position beyond typical HTTP access to the application. The attacker crafts a request to a vulnerable htmlview endpoint with a layout parameter that includes path traversal sequences (e.g., ../../../etc/passwd%00) to include arbitrary files on the server [1]. The attack does not require race window timing or user interaction beyond the attacker's own actions.

Impact

Successful exploitation allows the attacker to read sensitive files from the server, such as configuration files containing database credentials, application secrets, or system files (e.g., /etc/passwd). This leads to information disclosure, potentially enabling further compromise of the Joomla! instance or underlying infrastructure [1]. The attacker does not gain direct command execution or privilege escalation from this vulnerability alone.

Mitigation

Joomla! has released fixed versions: 5.4.6 and 6.1.1, as of 2026-05-26 [1]. All affected installations should upgrade immediately to one of these patched releases. No workarounds are documented; upgrading is the recommended mitigation [1]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.