HTProtect.org
Independent information site on Joomla security vulnerabilities
DEEN
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

Helix3 template framework – critical vulnerabilities

CriticalCVE: Requested (reporter: Phil Taylor, mySites.guru)
Act now
Update Helix3 to version 3.1.1 immediately.
Download the secure version Go to the update steps

Secure version: Helix3 3.1.1 · via JoomShaper (account required)

At a glance

Affected extension
Helix3 – system & AJAX plugin (plg_ajax_helix3)
Vendor
JoomShaper
Type of flaw
Several critical flaws: unauthenticated file write/delete, overwriting of template settings, privilege escalation up to code execution (PHP upload), plus XSS
Affected versions
All versions before 3.1.1
Secure version
Helix3 3.1.1   Download
Severity
Critical
CVE
Requested (reporter: Phil Taylor, mySites.guru)
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
Published/patched: 29 June 2026 (reported: 28 June 2026)

What is this about?

Helix3 is JoomShaper's classic template framework, running as a system plugin together with an AJAX plugin (plg_ajax_helix3). Several vulnerabilities were found in this AJAX plugin that can be reached via the standard com_ajax endpoint without authentication.

Specifically described are, among others: an unauthenticated write access to files (path manipulation via the save action), deletion of arbitrary files (remove/remove_image), overwriting of template settings (import) and – once logged in – privilege escalation up to code execution, because the image upload also accepted .php files. There are also stored/reflected XSS issues and a Google Fonts API key left in the source.

The fix has been available since 29 June 2026 as Helix3 3.1.1. A CVE number had been requested but not yet assigned at the time of disclosure; the reporter named is Phil Taylor of mySites.guru.

Helix3 is not Helix Ultimate
Helix3 is the older framework (system + AJAX plugin). Helix Ultimate is a separate, newer template with its own codebase and version numbering – it is not affected by this advisory.
A note on transparency
The public changelog entry initially read only "Security Update" – with no severity rating. Don't rely on changelogs alone: always update security-relevant extensions promptly.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator (the address ends in /administrator).

  2. Go to Plugins

    Open SystemPlugins (alternatively ExtensionsManageManage).

  3. Filter for "Helix3"

    Search for Helix3 or "System – Helix3 Framework" and read off the version number shown.

  4. Assess the version

    If the version is below 3.1.1, the installation is vulnerable and should be updated immediately.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update Helix3

    Select the Helix3 entry and click Update. Version 3.1.1 is delivered via the JoomShaper update server.

  3. Verify success

    Check under SystemPlugins that 3.1.1 is now shown.

Manual installation (alternative)
If no update appears, download the package from your JoomShaper account and install it via ExtensionsManageInstall.
Download the secure version

Official source: via JoomShaper (account required). Make sure you have at least Helix3 3.1.1.

Has the site already been attacked?

An update does not remove existing malware
If the site was unpatched during the exposure window, check after updating: unexpected files in the template folder, missing protection files (e.g. .htaccess) and unexplained changes to the template style parameters. When in doubt, have the site professionally cleaned and change all passwords.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Back to all vulnerabilities
Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now