RSFiles! – critical upload flaw with code execution
Secure version: RSFiles! 1.17.12 or newer · via RSJoomla! (account required)
At a glance
com_rsfiles)What is this about?
RSFiles! (com_rsfiles) manages file downloads in Joomla. Its front-end upload path was left open: the responsible task could be called without logging in, without a security token (CSRF), and the file was stored without checking its type.
As a result, an attacker can upload a PHP file into the publicly reachable downloads folder and then open it directly – the injected code runs on the server (remote code execution). At that point the whole site can be taken over.
Affected are all versions up to and including 1.17.11. The fix has been available since 10 July 2026 as 1.17.12. A CVE number had been requested but not yet assigned at the time of disclosure.
Am I affected? – How to check
- Open the back end
Log in to the Joomla administrator.
- Check the version
Under Extensions›Manage›Manage, filter for
RSFilesand read off the version. - Assess the version
If the version is 1.17.11 or older, action is urgently needed.
- Watch for traces
Check the RSFiles! downloads folder for foreign
.phpfiles (via SSH, e.g.find … -name "*.php") and your Users list for unknown administrator accounts.
How to fix it
- Open the Update center
Go to System›Update›Extensions and click Check for updates.
- Update RSFiles!
Select the entry and update to 1.17.12 or newer.
- Verify the version
Then confirm that the new version has been applied.
Official source: via RSJoomla! (account required). Make sure you have at least RSFiles! 1.17.12 or newer.
Has the site already been attacked?
.php files, review your Users list for new Super Users, and if you find anything change all passwords (Joomla admin, FTP/SSH, database). When in doubt, have the site professionally cleaned.Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.
Sources & further reading
- Original advisory – mySites.guruAdvisory with technical details
- RSJoomla! (vendor)Get the update via the Joomla updater or your RSJoomla! account
- Joomla Vulnerable Extensions List (VEL)Community-run list of vulnerable extensions
The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.deSpecialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.
Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.
Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.
bauschildundservice.deProfessional IT support from Czechia – Windows management, domain administration and web hosting.
defendersoft.czTravel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.
onlineweg.deCreative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.
criadero.deIT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.
jahnedv.de