Independent information site

Joomla security vulnerabilities – current & clearly explained

htprotect.org collects current, critical security vulnerabilities of popular Joomla extensions and frameworks – factual, free and with step-by-step guides that are easy to follow even for beginners. The goal: warn those affected quickly and help them close the gaps.

6 current flaws Neutral & free Sources linked

Check a website To the security status Update basics

What this is – and what it is not

This site is neutral and informative, not promotional. It summarises publicly available vendor and research information and links the original sources. The only exception is the clearly marked section on the protection extension HTProtect. In all cases: the most effective measure is applying the official updates promptly.

Is a website affected? Check now.

Free scanner: checks a domain with evidence for malicious redirects (spam/phishing/jmtouch), the Japanese Keyword Hack (cloaking) and injected code.

Start the Spam/Hack Check

Security status

Current security status

Six current flaws rated as critical. Check the installed versions – details and guides per entry.

Helix3 Framework
Several unauthenticated file & upload flaws in the AJAX plugin.

Secure with: Helix3 3.1.1 · Download

Details
Astroid Framework
Unauthenticated upload → code execution; exploited in the wild.

Secure with: Astroid 3.3.13 or newer · Download · CVE-2026-21628 · actively exploited

Details
Tassos / Novarain
Unauthenticated AJAX flaw in the framework behind many extensions; CVSS 9.5.

Secure with: Tassos Framework 6.0.62 or higher · Download · CVE-2026-21627

Details
JCE Editor
Unauthenticated upload; actively exploited for web shells.

Secure with: JCE 2.9.99.5 – better 2.9.99.6 · Download · actively exploited

Details
iCagenda
Missing login check in the event form → upload without authentication.

Secure with: iCagenda 4.0.8 · Download

Details
SP Page Builder
Zero-day upload → RCE without login; actively exploited.

Secure with: SP Page Builder 6.6.2 (emergency update) · Download · actively exploited

Details

The flaws in detail

Quick overview & entry point

Each flaw briefly outlined – one click leads to the detailed, beginner-friendly guide.

Helix3 Framework

JoomShaper

Critical

Several serious flaws were disclosed in the AJAX plugin of JoomShaper's Helix3 template framework – including writing and deleting files and uploading PHP code without logging in. All versions before 3.1.1 are affected; the 3.1.1 fix is available via the normal Joomla updater. Note: Helix3 is not the same as the newer Helix Ultimate.

Learn more Secure version

Astroid Framework

TemPlaza

Criticalactively exploited

In the widely used Astroid Framework, a critical flaw allows files to be uploaded without any authentication – and, in the worst case, code execution (RCE). Versions 2.0.0 to 3.3.10 are affected; fixed from 3.3.11, with 3.3.13 or newer recommended (CVE-2026-21628). Already-compromised sites often show injected plugins such as "BLPayload" or "JCachePro".

Learn more Secure version

Tassos / Novarain

tassos.gr

CriticalExploit available

The Tassos Framework (formerly Novarain) sits unnoticed inside many popular extensions such as Convert Forms or EngageBox. Unauthenticated AJAX calls allow file and database access – rated critical at CVSS 9.5, with a public exploit tool available (CVE-2026-21627). It is enough to update any one Tassos extension: the framework is automatically raised to a secure version (6.0.62+).

Learn more Secure version

JCE Editor

JoomlaContentEditor

Criticalactively exploited

JCE is one of the most-used editors for Joomla. Insufficient access control allowed unauthenticated attackers to upload editor profiles and, through them, arbitrary files – and the flaw is already being actively exploited to plant web shells. All versions before 2.9.99.5 are affected (Free and Pro), regardless of whether registration is enabled. Secure is 2.9.99.5, better the follow-up 2.9.99.6.

Learn more Secure version

iCagenda

Event calendar

Critical

iCagenda is a popular event calendar for Joomla. The form for submitting events lacked a real login check – so even unauthenticated attackers could upload files, even when the form was supposedly restricted to registered users. All versions before 4.0.8 are affected; the 4.0.8 fix was released on 15 June 2026.

Learn more Secure version

SP Page Builder

JoomShaper

Criticalactively exploited

SP Page Builder is one of the most-used page builders for Joomla. A zero-day flaw in the custom-icon upload function checked neither login nor file type, allowing code execution (RCE) without a login. The entire 6.x series up to and including 6.6.1 is affected; the emergency update 6.6.2 closes the hole. It is already being actively exploited and leaves behind hidden super-users and backdoors.

Learn more Secure version

Basics

How to update a Joomla extension safely

Almost all of the flaws described here are closed the same way – via the Joomla update center. This general guide is for beginners:

First: make a backup

Back up files and database before changing anything – e.g. with Akeeba Backup or via your host. That way you can roll back if there is a problem.

Log in to the back end
Open the Joomla administrator (your domain with /administrator appended) and log in.
Open the Update center
Go to System›Update›Extensions and click Check for updates.
Update the extension
Select the affected extension from the list and click Update. Joomla downloads and installs the new version automatically.
Verify the version
Then check the installed version number (component or Extensions›Manage) and compare it with the "secure version" on the relevant detail page.
If a compromise is suspected: clean up
An update closes the hole but does not remove malware already injected. If anything looks off, have the site professionally cleaned and change all passwords.

No update shown?

First update Joomla itself and check under System›Update›Update sites whether the source is enabled. Otherwise download the package from the vendor and install it via Extensions›Manage›Install.

Protection extension

HTProtect

Many of the flaws listed here follow the same pattern: unauthenticated file upload. This is exactly where HTProtect comes in – as an additional layer of protection for Joomla that does not, however, replace a vendor update.

One-click hardeningJoomla security extensionby Website-Bereinigung.de

Real-time protection (WAF)

Blocks exploit calls even in the POST body that a plain .htaccess never sees.

Exploit shield & live signatures

New signatures are loaded automatically – zero-days are covered promptly.

Upload folder hardening

Prevents execution of uploaded PHP files – exactly the entry point of these flaws.

Monitoring & email alerts

A watchdog checks files, super-user accounts, defacement & a watch list and reports anomalies.

Site scan & vulnerable extensions

Checks the installation for, among other things, known vulnerable extensions.

HTTPS enforcement & back-end protection

Enforces HTTPS and can additionally secure the administrator login.

Note: HTProtect does not replace updates. The most effective measure remains applying vendor updates promptly – HTProtect reduces the risk in the window beforehand and reports anomalies.

More about HTProtect

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community

FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de

Initiator & operator

Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now