Skip to main content
Blog
Joomla 6.1.1 Security & Bugfix Release
Subscribe to our newsletter!

Joomla 6.1.1 Security & Bugfix Release

26 May 2026

On Tuesday, May 26, 2026, the Joomla! Project released Joomla 6.1.1 together with Joomla 5.4.6. These are security and bug fix releases for the Joomla 5.x and 6.x series.

Security fixes in Joomla 6.1.1

  • Cross-site scripting (XSS) - CVE 20260501, 502, 503, 504, plus the two Framework ones (519, 520)
    XSS means an attacker manages to sneak malicious code (usually JavaScript) into a page so it runs in someone else's browser — potentially stealing their session or doing things as them. This batch found XSS holes in the feed modules, the multilingual associations component, the content history feature, and in "read more" links. The two Framework items (519 and 520) are the underlying cause for some of these: the text-filtering code that's supposed to strip dangerous HTML attributes wasn't catching everything, so bad input slipped through.
  • SQL injection - CVE 20260506, 507
    SQL injection is when an attacker feeds crafted input that tricks the database into doing things it shouldn't. These two are "authenticated blind" versions, meaning the attacker needs a valid login first, and "blind" means they can't see the database's answers directly but can still extract data by inference. Found in the Smart Search (com_finder) and tags components.
  • Privilege escalation and access-control failures - CVE 20260508, 513, 514, 515, 516
    These are all cases where someone could do more than they're supposed to. Two let a user escalate their own privileges through the user-management component (one via the batch-edit task, one via the web-service API). Others are missing or incorrect permission checks in the configuration web-service endpoints, the sample-data plugins, and the task scheduler; places where the system forgot to properly verify the person was allowed in.
  • Authentication bypass - CVE 20260505, 511, 512, 518
    The two MFA bypasses (511, 512) are the most serious-sounding: they let an attacker get past two-factor/multi-factor authentication, which is the exact protection meant to stop account takeover. The CSRF issue (505) in the account-activation endpoint means an attacker could trick a logged-in user's browser into performing an activation action without their consent. And 518 is a "downgrade" flaw: password/username reset links could be sent over unencrypted (plain HTTP) connections instead of secure HTTPS, exposing them to interception.
  • File access flaws - CVE 20260509, 510
    These let an attacker reach files they shouldn't. The LFI ("local file inclusion") in the layout parameter (509) could trick the system into loading arbitrary local files via a manipulated layout setting. The path-traversal issue in the media web-service (510) is similar — using tricks like "../" in a path to escape the intended folder and reach other files on the server.
  • Caching bug with security impact - CVE 20260517
    The system was building cache keys for its input-filter objects incorrectly, which can cause the wrong (less strict) filtering rules to be applied to a request — effectively weakening the protection those filters provide.

Bug fixes in Joomla 6.1.1 (and 5.4.6)

These fixes apply to both releases. Everything fixed in 5.4.6 was also merged up into 6.1.1.

  • Security fixes in external libraries (6.1.1)
    The site updated a bundled encryption library (phpseclib) twice, closing one high-severity and a couple of lower-severity security holes. It also patched three more security vulnerabilities buried in development dependencies, and fixed the OAuth2 login component so that authenticating through external services (Google, etc.) works correctly again.
  • Bugs that affected daily use
    The auto-updater now cleans up properly, leftover update archive files were not being deleted after a core update, and it correctly shows when it last checked for updates. Saving content is more reliable: if a notification email failed to send, the system used to wrongly report that the whole save had failed, which no longer happens. The login/registration flow had a missing piece of text (the "complete registration" message) that's now restored. A crash on web addresses with special or international characters is now caught and handled instead of taking the page down. The debug tool no longer crashes the site when you use its "Query Explain" feature during background (AJAX) requests, and a fatal error that could occur when the API tried to load a template has been fixed. An incorrect error message when renaming a file was also corrected.
  • Editing, forms, and content
    Publishing options (publish dates, etc.) that had gone missing when creating a new article now appear again. Version history only shows up where it's actually supported instead of cluttering screens that don't use it. A broken bit of layout code (a missing bracket) in repeatable fields was corrected, the TinyMCE editor's menu bar is now visible in fullscreen mode, and you get proper error messages when editing menu items fails. Authors can now properly preview earlier versions of an article, category custom fields load correctly again, and converting content from HTML to plain text now handles tags properly. Searching within the Fancy Select dropdown also does a better job matching what you type.
  • Accessibility
    Several fixes target screen-reader and keyboard users: a missing table column header was added, the "Back to Top" link was made accessible, list-position information for assistive tech now counts correctly from the start, and language-installation info was made more accessible.
  • Interface and appearance
    A handful of visual fixes in the default Cassiopeia template: dropdown/select fields no longer sit incorrectly behind other elements, dark mode shows the right highlight colour for selected items, disabled dropdown fields display a proper "greyed out" colour, the "clear" button actually resets calendar filters now, and pre-selected values show up correctly in the fancy dropdown selectors. Right-to-left language admins get correctly aligned toolbar dropdowns, and the notification "dismiss" button was fixed for light mode.

A full list of changes can be found in the 6.1.1 milestone on GitHub.

Upgrading made simple

If your website is already running on Joomla 5.4, moving to Joomla 6.1 is typically a standard upgrade rather than a full migration. In most cases, the process is smooth and efficient, especially since the compatibility plugin helps maintain support for many existing extensions.

Proper preparation remains essential. Before updating your live site, it’s best to test the upgrade in a local or staging environment first. This allows you to verify that your templates, extensions, and custom functionality continue to work correctly, while reducing the risk of unexpected issues or downtime.

Need help updating or migrating to Joomla 6.1.1? Contact us!

Peter Martin
Joomla specialist for fast, secure and scalable websites.

Other articles

New website,
website optimisation,
website support or
training needed?

Correspondence

db8 Website Support
Galiciestraat 35
6663 NR Lent
The Netherlands

+31 85 301 48 28
support at db8 dot nl
+31 6 44 214 500 (urgent)

Nijmegen Office

NYMA makersplaats, Unit 69
Winselingseweg 16
6541 AK Nijmegen
Netherlands

By appointment
Monday to Friday
09:00 - 17:00 (5pm)
(Time zone: Central European Time)

Acquisition is
not appreciated

© db8.nl. All rights reserved.