CVE-2026-40383
Local File Inclusion in Joomla CMS
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | joomla | From 3.2.1 (inc) to 5.4.5 (inc) |
| joomla | joomla | From 6.0.0 (inc) to 6.1.0 (inc) |
| joomla | joomla | 5.4.6 |
| joomla | joomla | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40383 is a Local File Inclusion (LFI) vulnerability in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0. It occurs due to improper validation of user-supplied input in the HTMLView layout parameter, which allows an attacker to include local files from the server.
How can this vulnerability impact me? :
This vulnerability can have a high impact because it allows attackers to include and potentially access sensitive local files on the server. This could lead to information disclosure, unauthorized access to server data, or further exploitation of the system. However, the probability of exploitation is considered low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-40383 is a Local File Inclusion (LFI) vulnerability in Joomla! CMS related to improper validation of the HTMLView layout parameter. Detection typically involves monitoring for suspicious requests attempting to exploit this parameter.
Specific commands or detection scripts are not provided in the available resources. However, administrators can look for unusual HTTP requests containing attempts to manipulate the 'layout' parameter to include local files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Joomla! CMS to the patched versions 5.4.6 or 6.1.1 or later, as these versions contain the fix for the vulnerability.
Until the upgrade can be performed, it is advisable to restrict access to the vulnerable parameter and monitor for suspicious activity related to the HTMLView layout parameter.