extensions.joomla.org
External Program
Submit bugs directly to this organization
External Program
Submit bugs directly to this organization
Last Updated: 12 January 2026
The Joomla! Project takes security vulnerabilities very seriously. As such, the Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
In wild land firefighting, the term "Strike Team" is used to describe a collection of similar resources, which used for a specific purpose (https://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it is a collection of developers and security experts tasked with improving and managing security for Joomla. The JSST roster can be found on the [https://volunteers.joomla.org/teams/security-strike-team](Joomla! Volunteers Portal).
If you want to join the team send an email to mailto:[email protected] and ask for more details. Due to the sensitive nature of security work the team's membership is restricted, but we welcome anyone who is qualified to contact us about membership.
If you find a possible vulnerability, please report it to the JSST first. You can contact the team via email at mailto:[email protected] or using the [/security/contact-the-team.html](contact form) on this site.
The JSST operates with a limited scope and only directly responds to issues with the core Joomla! CMS and Framework, as well as processing reports regarding the *.joomla.org network of websites. We do not directly handle potential vulnerabilities with Joomla! extensions, please report extensions vulnerablities to the respective vendor. We do however assign CVE IDs for extension vulnerabilities as the Joomla project is the responsible CNA. Furthermore, the [https://vel.joomla.org](Vulnerable Extensions List) contains reports of security vulnerabilities in extensions.
To be able to fully respond to a potential security issue, the JSST asks that issue reports includes as much of the following data as possible:
The Joomla! software (CMS or Framework) or website (*.joomla.org) affected by the vulnerability (for the software, please include the version(s) tested)
Steps to reproduce the problem
For the CMS or Framework, this should be what is required from a new install of the affected package
For the *.joomla.org websites, this should be the steps taken to trigger the vulnerability
If sharing a vulnerability reported elsewhere, please include the source of this report
A patch may be proposed which will be reviewed by the JSST
The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:
Within 24 hours every report gets acknowledged
Within 7 days every report gets a further response stating either
the issue is closed (and why)
the issue is still under investigation; if needed, additional information will be requested
Within 21 days every report must be resolved unless there are exceptional circumstances requiring additional time
We maintain [/security/gpg-keys.html](a GPG key )for the mailto:[email protected] to allow signed and encrypted communications.
Investigate and respond to reported vulnerabilities in the Joomla! CMS, Framework, and joomla.org websites.
Execute code reviews prior to release to identify new vulnerabilities.
Provide public presence regarding security issues.
Help the community understand Joomla! security.
Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.
Articles are written about Joomla! all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.
The JSST in conjunction with the [https://volunteers.joomla.org/teams/marketing](Marketing Team) will assess and address articles written about security issues
If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue
If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article
The JSST will be available to answer questions/validate any Joomla! security related articles on the publisher's request
Critical and high-level vulnerabilities trigger an immediate release cycle
The Joomla! project may release an advisory indicating the scheduled release window to allow site owners to prepare for the release
Moderate vulnerabilities may trigger a release cycle depending on the specific issue
Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release
All security releases will be accompanied by one (or more) appropriate [/security-centre.html](security announcements)
The Joomla! project will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST. You can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names. If you do not specify then we will use the contact name associated with the email address the report was received from. You can also request a pseudonym or having your name withheld.
In accordance with the [/cms/development-strategy.html#security_policy](security policy) from the Joomla! project's development strategy, there are two main details that contribute to a vulnerability's priority or "threat level":
Level | Description |
Critical | “0-day" attacks, and attacks where site control is compromised (allows attacker to take control of the site). |
High | SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised. |
Moderate | XSS attacks, write ACL violations (editing or creating of content where not allowed). |
Low | Read ACL violations (reading of content where not allowed). |
Level | Description | Release Fix |
Critical | VERY easy to perform. Relies on no outside information (TRUE 0-day attack). | As soon as possible |
High | Moderately easy to perform. May rely on readily available outside information. | Per oCERT guidelines |
Moderate | Not easy to perform. May rely on sensitive information. | Per oCERT guidelines |
Low | Difficult to perform. Relies on sensitive information or requires special circumstances to perform. | Per oCERT guidelines |
NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.
All currently developed and supported versions of the Joomla! CMS and Framework will be actively monitored by the JSST.