HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

Helix Ultimate – critical flaws in the AJAX handler (no login)

CriticalCVE: No CVE assigned (reporter: mySites.guru)
Act now
Update Helix Ultimate to 2.2.7 immediately – installing all Helix Ultimate parts (system plugin and template).

Secure version: Helix Ultimate 2.2.7 · via JoomShaper (account required)

At a glance

Affected extension
Helix Ultimate – template & system plugin (JoomShaper)
Type of flaw
Several unauthenticated AJAX actions with no login/permission check: write access to menus (stored XSS), path-traversal file deletion, open redirect and unprotected template export
Affected versions
All versions before 2.2.7
Secure version
Helix Ultimate 2.2.7   Download
Severity
Critical
CVE
No CVE assigned (reporter: mySites.guru)
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
Published/patched: 7 July 2026

What is this about?

Helix Ultimate is JoomShaper's current template framework (a template together with a system plugin). It registers an AJAX handler that Joomla runs via the standard com_ajax endpoint even for completely anonymous visitors. Before version 2.2.7, several of these actions did their work without first checking a login or a permission.

The most serious is an unauthenticated write access to the menu settings: because the menu content was not sanitised before output, it can be used to permanently store malicious script that then runs in visitors' browsers – and even in the administrator session (stored XSS). On top of that there is a path-traversal flaw that let file deletions reach anywhere inside the Joomla folder, an open redirect and an unprotected template export.

The fix has been available since 7 July 2026 as Helix Ultimate 2.2.7; it puts the missing login and permission checks back across every AJAX action, confines the file paths, validates redirects and cleans the menu output. Because there was no 2.2.5 or 2.2.6, every older version is behind – many installs are still on the 2.1 or even 1.1 line. No CVE number has been assigned so far.

Helix Ultimate is not Helix3
Helix Ultimate is the newer template framework with its own codebase and version numbering. Helix3 is a separate, older product with its own flaw and its own fix – don't confuse the two.
A note on transparency
The Joomla updater often shows only a meaningless "Security Update" line – with no severity rating. Don't rely on the changelog: always update security-relevant extensions immediately.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator (the address ends in /administrator).

  2. Go to Extensions

    Open ExtensionsManageManage and filter for Helix Ultimate.

  3. Read the version

    Read off the installed version. If it is below 2.2.7, the installation is vulnerable and should be updated immediately.

  4. Watch for traces

    Check menus and mega-menu settings for links or scripts you didn't add, and your Users list for unknown Super User accounts.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update every Helix Ultimate part

    Update every Helix Ultimate entry offered to 2.2.7 (system plugin and template, and possibly a template installer) – not just one of them.

  3. Verify success

    Then confirm that 2.2.7 is shown everywhere.

Manual installation (alternative)
If no update appears, download the package from your JoomShaper account and install it via ExtensionsManageInstall. Simply disabling the plugin is not enough – the files stay on the server and the AJAX endpoint can still be reached.

Official source: via JoomShaper (account required). Make sure you have at least Helix Ultimate 2.2.7.

Has the site already been attacked?

An update does not undo an attack that already happened
The update stops further attempts but reverses nothing. After updating, check: menus and mega-menu for injected links or markup, the Users list for unknown Super Users, whether protection files (.htaccess, index.html) are still present, and whether template style settings were changed. If you find something, grab evidence first, then clean the whole site and change all passwords and secrets.

Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.

Support HTProtect now
Bauschild & Service

Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.

bauschildundservice.de
IT Specialista

Professional IT support from Czechia – Windows management, domain administration and web hosting.

defendersoft.cz