Joomla com_media Path Traversal via Unvalidated Search Parameter
CVE-2026-40384 Published on May 26, 2026
Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-40384 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-40384
Want to know whenever a new CVE is published for Joomla? stack.watch will email you.
Affected Versions
Joomla! Project Joomla! CMS:- Version 4.0.0-5.4.5 is affected.
- Version 6.0.0-6.1.0 is affected.