Joomla 5.3.4 security release

01 October 2025

On Tuesday, September 30, 2025, Joomla 5.3.4 was released. This is a security release in the 5.x series to fix two security issues and several bugs.

Because this security flaw was also present in Joomla 4.4.13, and that version is still supported, a security update was released at the same time: Joomla 4.4.14.

What’s included in the Joomla 5.3.4 security release

Some key fixes are:

[20250901] - Core - Inadequate content filtering within the checkAttribute filter code
Attackers could inject malicious code into website content that runs in visitors’ browsers.
[20250902] - Core - User-Enumeration in passkey authentication method
Hackers could test login requests to find out whether a username exists on your site.

Both security issues are resolved by updating Joomla to the latest version (4.4.14 or 5.3.4).

Which bugs are fixed in the Joomla 5.3.4 update?

[5.3] Update Icon of Miscellaneous Information in Contact [46067]
[5.3] Fix deploy_version typo in com_scheduler [46085]
[5.3] Fix for in the build process wrongly removed copyright messages [46146]
[5.3] Restored Article Version Now Properly Checked Out to Current User [45597]
[5.3] DELETE request returns a 204 when an item doesn't exist [45589]
[5.3] Set http status header for XML/feed responses [45419]
[5.3] Update TinyMCE from 6.8.5 to 6.8.6 to fix TinyMCE issue with cursor placement [45987]
[5.3] Joomla Dialog add support for aria-label [46090]
[5.3] Add check if certain fields exist in versioning before using them [46009]
[5.3] Update joomla/filesystem package to fix extension uploads when post_max_size is 0 [45986]
[5.3] Enhance header handling in transport classes to support array values [46078]
[5.3] Composer update joomla/oauth2 to 3.0.2 to fix case insensitive OAuth2Client authentication [46132]
[5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release [45984]