Joomla 5.4.6 Security & Bugfix Release

On Tuesday, May 26, 2026, the Joomla! Project released Joomla 6.1.1 together with Joomla 5.4.6. These are security and bug fix releases for the Joomla 5.x and 6.x series.

Security fixes in Joomla 5.4.6

• Cross-site scripting (XSS) - CVE 20260501, 502, 503, 504, plus the two Framework ones (519, 520)
  XSS means an attacker manages to sneak malicious code (usually JavaScript) into a page so it runs in someone else's browser — potentially stealing their session or doing things as them. This batch found XSS holes in the feed modules, the multilingual associations component, the content history feature, and in "read more" links. The two Framework items (519 and 520) are the underlying cause for some of these: the text-filtering code that's supposed to strip dangerous HTML attributes wasn't catching everything, so bad input slipped through.
• SQL injection - CVE 20260506, 507
  SQL injection is when an attacker feeds crafted input that tricks the database into doing things it shouldn't. These two are "authenticated blind" versions, meaning the attacker needs a valid login first, and "blind" means they can't see the database's answers directly but can still extract data by inference. Found in the Smart Search (com_finder) and tags components.
• Privilege escalation and access-control failures - CVE 20260508, 513, 514, 515, 516
  These are all cases where someone could do more than they're supposed to. Two let a user escalate their own privileges through the user-management component (one via the batch-edit task, one via the web-service API). Others are missing or incorrect permission checks in the configuration web-service endpoints, the sample-data plugins, and the task scheduler; places where the system forgot to properly verify the person was allowed in.
• Authentication bypass - CVE 20260505, 511, 512, 518
  The two MFA bypasses (511, 512) are the most serious-sounding: they let an attacker get past two-factor/multi-factor authentication, which is the exact protection meant to stop account takeover. The CSRF issue (505) in the account-activation endpoint means an attacker could trick a logged-in user's browser into performing an activation action without their consent. And 518 is a "downgrade" flaw: password/username reset links could be sent over unencrypted (plain HTTP) connections instead of secure HTTPS, exposing them to interception.
• File access flaws - CVE 20260509, 510
  These let an attacker reach files they shouldn't. The LFI ("local file inclusion") in the layout parameter (509) could trick the system into loading arbitrary local files via a manipulated layout setting. The path-traversal issue in the media web-service (510) is similar — using tricks like "../" in a path to escape the intended folder and reach other files on the server.
• Caching bug with security impact - CVE 20260517
  The system was building cache keys for its input-filter objects incorrectly, which can cause the wrong (less strict) filtering rules to be applied to a request — effectively weakening the protection those filters provide.

Bug fixes in the Joomla 5.4.6 release

• Accessibility
  This release brought several improvements for people who rely on screen readers or keyboard navigation. The "Back to Top" link now works correctly with assistive technology, a missing table column header was added, and the language installation info screen was made more accessible.
• Editing and content
  A few fixes here smooth out everyday work. If a notification email fails to send, the system no longer wrongly claims the whole save failed, when in fact it worked. Custom fields attached to categories load correctly again, and authors can now properly preview earlier versions of an article.
• Updates and maintenance
  The auto-updater got two useful fixes: it now cleans up the leftover update archive file after the core updates itself, and it correctly displays the time it last checked for updates.\
• Interface and appearance
  On the visual side, toolbar dropdown menus now align correctly in the admin area for right-to-left languages like Arabic and Hebrew, and searching within a Fancy Select dropdown now matches text typed anywhere in an option rather than only at the start.

Note: don't jump straight to 5.x from a version below 4.4! Update to 4.4 first, then to 5.x.

The full list of changes can be found in the 5.4.6 milestone on GitHub.

Upgrade to Joomla 6

The primary purpose of Joomla 5.4.x releases is to help website owners get ready for an easy transition from Joomla 5.x to Joomla 6.x. All new websites we develop are built directly on Joomla 6.x. Existing websites are upgraded once the hosting environment, including PHP and database versions, together with all installed extensions, are fully compatible with Joomla 6.

Do you need help with updating or migrating your website to Joomla 6? Contact us!