CVE-2026-40384 Joomla! Project CVE debrief

Who should care

Organizations running Joomla! CMS with the com_media webservice endpoint enabled, particularly those exposing media management APIs to administrative users. Security teams should prioritize patching and access control review for affected installations.

Technical summary

The com_media component in Joomla! CMS provides a files API endpoint that accepts a search parameter. Insufficient validation of this parameter allows directory traversal sequences to bypass intended access restrictions. An attacker with high privileges can exploit this to read arbitrary files from the underlying file system. The vulnerability is present in the webservice endpoint implementation and does not require user interaction. The confidentiality impact is rated high while integrity and availability impacts are none.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from Joomla! when available per the vendor security advisory
• Review and restrict access to the com_media API endpoint to authorized administrative users only
• Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in API requests
• Monitor access logs for suspicious search parameter values containing directory traversal sequences
• Validate that file access controls prevent unauthorized file system traversal regardless of API input validation

Evidence notes

The vulnerability was disclosed by [email protected] and published in the Joomla! Security Centre. The NVD entry shows vulnStatus as 'Undergoing Analysis'. The CVSS 4.0 vector indicates network attack vector with low attack complexity, privileged required (PR:H), and high confidentiality impact (VC:H).

Official resources