Cyber Posture

CVE-2026-23898

High

Published: 01 April 2026

Published
01 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0000 0.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23898 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of input validation in the autoupdate server mechanism that enables arbitrary file deletion via external control of file paths.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on information inputs to the com_joomlaupdate component, preventing malicious file paths from being processed.

AC-6 Least Privilege partial match
prevent

Limits privileges required for autoupdate operations, reducing the attack surface for high-privilege (PR:H) users exploiting the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Arbitrary file deletion directly enables indicator removal via file deletion and data destruction on the affected system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Deeper analysisAI

CVE-2026-23898 is an arbitrary file deletion vulnerability stemming from a lack of input validation in the autoupdate server mechanism of Joomla CMS, specifically within the com_joomlaupdate core component. Published on 2026-04-01, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).

The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) by authenticated users possessing high privileges (PR:H), without requiring user interaction (UI:N) and with an unchanged scope (S:U). Attackers can achieve arbitrary file deletion, resulting in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H).

The official Joomla security advisory at https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html details mitigation steps for this issue.

Details

CWE(s)
CWE-73

Affected Products

joomla
joomla\!
3.0.0 — 5.4.4 · 6.0.0 — 6.0.4

CVEs Like This One

CVE-2024-40748Same product: Joomla Joomla\!
CVE-2026-23899Same product: Joomla Joomla\!
CVE-2024-40749Same product: Joomla Joomla\!
CVE-2026-21630Same product: Joomla Joomla\!
CVE-2026-21629Same product: Joomla Joomla\!
CVE-2025-0105Shared CWE-73
CVE-2025-59022Same product class: CMS core
CVE-2026-25605Shared CWE-73
CVE-2026-28442Shared CWE-73
CVE-2024-13668Same product class: CMS core

References