CVE-2026-40383 Joomla! Project CVE debrief

Who should care

Joomla site administrators, web application security teams, PHP developers using Joomla framework components, security operations centers monitoring CMS exploitation patterns

Technical summary

CVE-2026-40383 is a local file inclusion (LFI) vulnerability affecting Joomla core, specifically within the HTMLView component's layout parameter. The vulnerability stems from improper validation of user-supplied input (CWE-22), allowing potential path traversal and unauthorized file access. The CVSS 4.0 score of 7.5 (HIGH) reflects network attack vector with low attack complexity, though privileges required are high (PR:H). The attack requires no user interaction. Confidentiality, integrity, and availability impacts are all rated high (VC:H/VI:H/VA:H). The vulnerability was disclosed via Joomla's security center on 2026-05-26. Administrators should prioritize applying vendor patches and implementing input validation for layout parameters.

Defensive priority

HIGH

Recommended defensive actions

• Review Joomla security advisory for affected versions and patch availability
• Apply vendor-supplied security update when available
• Validate and sanitize layout parameters in HTMLView components
• Implement path traversal protections for file inclusion operations
• Monitor for exploitation attempts targeting layout parameter manipulation

Evidence notes

CVE published 2026-05-26T17:16:39.360Z; modified 2026-05-26T19:06:58.447Z. Vendor evidence from reference domain candidate indicates Joomla as affected product. CVSS 4.0 vector: AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Weakness: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Official resources