CVE-2026-40383
Analyzed Analyzed - Analysis Complete

Local File Inclusion in Joomla CMS

Vulnerability report for CVE-2026-40383, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: Joomla! Project

Description

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
joomla joomla! From 6.0.0 (inc) to 6.1.1 (exc)
joomla joomla! From 3.2.1 (inc) to 5.4.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40383 is a Local File Inclusion (LFI) vulnerability in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0. It occurs due to improper validation of user-supplied input in the HTMLView layout parameter, which allows an attacker to include local files from the server.

Impact Analysis

This vulnerability can have a high impact because it allows attackers to include and potentially access sensitive local files on the server. This could lead to information disclosure, unauthorized access to server data, or further exploitation of the system. However, the probability of exploitation is considered low.

Detection Guidance

CVE-2026-40383 is a Local File Inclusion (LFI) vulnerability in Joomla! CMS related to improper validation of the HTMLView layout parameter. Detection typically involves monitoring for suspicious requests attempting to exploit this parameter.

Specific commands or detection scripts are not provided in the available resources. However, administrators can look for unusual HTTP requests containing attempts to manipulate the 'layout' parameter to include local files.

Mitigation Strategies

The immediate mitigation step is to upgrade Joomla! CMS to the patched versions 5.4.6 or 6.1.1 or later, as these versions contain the fix for the vulnerability.

Until the upgrade can be performed, it is advisable to restrict access to the vulnerable parameter and monitor for suspicious activity related to the HTMLView layout parameter.

Compliance Impact

The provided information does not specify how the Local File Inclusion vulnerability in Joomla! CMS (CVE-2026-40383) directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40383. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart