Cyber Resilience

CVE-2026-23898

High

Published: 01 April 2026

Published
01 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 36.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23898 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Joomla Joomla\!. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2026-23898 is an arbitrary file deletion vulnerability stemming from a lack of input validation in the autoupdate server mechanism of Joomla CMS, specifically within the com_joomlaupdate core component. Published on 2026-04-01, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).

The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) by authenticated users possessing high privileges (PR:H), without requiring user interaction (UI:N) and with an unchanged scope (S:U). Attackers can achieve arbitrary file deletion, resulting in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H).

The official Joomla security advisory at https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html details mitigation steps for this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Arbitrary file deletion directly enables indicator removal via file deletion and data destruction on the affected system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21629Same product: Joomla Joomla\!
CVE-2026-35221Same product: Joomla Joomla\!
CVE-2024-40749Same product: Joomla Joomla\!
CVE-2026-48904Same product: Joomla Joomla\!
CVE-2026-21630Same product: Joomla Joomla\!
CVE-2024-40748Same product: Joomla Joomla\!
CVE-2026-23899Same product: Joomla Joomla\!
CVE-2026-35222Same product: Joomla Joomla\!
CVE-2026-48898Same product: Joomla Joomla\!
CVE-2026-48899Same product: Joomla Joomla\!

Affected Assets

joomla
joomla\!
3.0.0 — 5.4.4 · 6.0.0 — 6.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of input validation in the autoupdate server mechanism that enables arbitrary file deletion via external control of file paths.

prevent

Enforces restrictions on information inputs to the com_joomlaupdate component, preventing malicious file paths from being processed.

prevent

Limits privileges required for autoupdate operations, reducing the attack surface for high-privilege (PR:H) users exploiting the vulnerability.

References