HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

RSFiles! – critical upload flaw with code execution

CriticalCVE: Requested, not yet assigned
Act now
Update RSFiles! to 1.17.12 or newer immediately – and clean up as well if you suspect a compromise.

Secure version: RSFiles! 1.17.12 or newer · via RSJoomla! (account required)

At a glance

Affected extension
RSFiles! – file/download manager (com_rsfiles)
Vendor
Type of flaw
Unauthenticated file upload via a front-end task → remote code execution (RCE); no login, no token, no file-type check
Affected versions
All versions up to and including 1.17.11
Secure version
RSFiles! 1.17.12 or newer   Download
Severity
Critical
CVE
Requested, not yet assigned
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
Published/patched: 10 July 2026

What is this about?

RSFiles! (com_rsfiles) manages file downloads in Joomla. Its front-end upload path was left open: the responsible task could be called without logging in, without a security token (CSRF), and the file was stored without checking its type.

As a result, an attacker can upload a PHP file into the publicly reachable downloads folder and then open it directly – the injected code runs on the server (remote code execution). At that point the whole site can be taken over.

Affected are all versions up to and including 1.17.11. The fix has been available since 10 July 2026 as 1.17.12. A CVE number had been requested but not yet assigned at the time of disclosure.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the version

    Under ExtensionsManageManage, filter for RSFiles and read off the version.

  3. Assess the version

    If the version is 1.17.11 or older, action is urgently needed.

  4. Watch for traces

    Check the RSFiles! downloads folder for foreign .php files (via SSH, e.g. find … -name "*.php") and your Users list for unknown administrator accounts.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update RSFiles!

    Select the entry and update to 1.17.12 or newer.

  3. Verify the version

    Then confirm that the new version has been applied.

Manual installation (alternative)
If no update appears, download the package from your RSJoomla! account and install it via ExtensionsManageInstall.

Official source: via RSJoomla! (account required). Make sure you have at least RSFiles! 1.17.12 or newer.

Has the site already been attacked?

If compromised, an update is not enough
The update closes the hole but does not remove any malware already uploaded. Search the downloads folder and the surrounding directories for foreign .php files, review your Users list for new Super Users, and if you find anything change all passwords (Joomla admin, FTP/SSH, database). When in doubt, have the site professionally cleaned.

Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.

Support HTProtect now
Bauschild & Service

Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.

bauschildundservice.de
IT Specialista

Professional IT support from Czechia – Windows management, domain administration and web hosting.

defendersoft.cz
onlineweg.de

Travel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.

onlineweg.de
Criadero

Creative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.

criadero.de
Jahn EDV-Dienst GmbH

IT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.

jahnedv.de