CVE-2026-40384

Vulnerability

The com_media files API endpoint in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 improperly validates the search parameter, enabling a path traversal attack [1]. The vulnerability exists in the web service endpoint that handles file search operations, where user-supplied input is not sanitized for directory traversal sequences.

Exploitation

An attacker with network access to the Joomla instance can exploit this by sending a specially crafted HTTP request to the com_media API endpoint with a malicious search parameter containing path traversal sequences (e.g., ../) [1]. No authentication is explicitly required, though the endpoint may be restricted to authenticated users depending on the site configuration. The attacker can then traverse directories outside the intended media folder.

Impact

Successful exploitation allows an attacker to read arbitrary files on the server's filesystem, leading to information disclosure [1]. This could expose sensitive configuration files, database credentials, or other confidential data, depending on the web server's file permissions. The attacker gains read access at the privilege level of the web server process.

Mitigation

Joomla! has released fixed versions 5.4.6 and 6.1.1 on 2026-05-26 [1]. Users should upgrade to these versions immediately. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.