Back to Home

Joomla 6.0.4 Updates: Security Patches

Joomla 6.0.4 and 5.4.4 fix six core vulnerabilities, including SQL injections and XSS. Admin panel, scheduler, and TinyMCE bugs fixed. Immediate update recommended for production sites.

Joomla 6.0.4: SQLi and XSS Fixes for Developers
Advertisement 728x90

Joomla 6.0.4 and 5.4.4: Key Security Patches and Bug Fixes

Joomla developers have released versions 6.0.4 and 5.4.4, focusing on addressing vulnerabilities and critical bugs. These releases impact the core of the 5.x and 6.x series, bolstering defenses against SQL injections, XSS, and ACL violations. Updates are mandatory for all active installations, as they affect com_ajax, com_content, and com_joomlaupdate components.

Core Vulnerabilities: Detailed Breakdown

The updates patch six key attack vectors:

  • Core [20260301]: ACL hardening in com_ajax, preventing unauthorized access to AJAX endpoints.
  • Core [20260302]: Blocking SQL injection in the com_content web service for the articles endpoint.
  • Core [20260303]: Fixing XSS in associations comparison mode (com_associations).
  • Core [20260304]: Resolving multiple XSS issues in material header rendering.
  • Core [20260305]: Prohibiting arbitrary file deletion via com_joomlaupdate.
  • Core [20260306]: Proper access rights validation in web services API.

These patches minimize exploitation risks in production environments involving user inputs and admin interfaces.

Google AdInline article slot

Interface and Rendering Bug Fixes

The updates include fixes for admin panel and frontend stability:

  • Eliminated icon flickering in the administrator sidebar.
  • Suppressed PHP warnings in the "Page Break" modal window.
  • Normalized placeholder rendering on GET requests to content.
  • Restored media edit icon when action plugins are absent.
  • Fixed relative CSS/JS paths on Cassiopeia template error pages.

These changes enhance UX for mid- and senior-level developers working with custom templates and extensions.

Backend Component Improvements

Focus on reliability of system services:

Google AdInline article slot
  • "Versions" button is hidden when the content history component is disabled.
  • MailHelper now properly parses domains with invalid characters.
  • The task scheduler is resilient to hung jobs—execution continues without breaking the chain.
  • TinyMCE initializes reliably in Firefox Developer Edition.

These fixes are critical for server tasks where fault tolerance affects cron jobs and automated processes.

Upgrade Recommendations

Before upgrading, back up your database and file system. Test on a staging server, verifying:

  • Custom plugins on com_ajax and com_content.
  • Integrations with external APIs via web services.
  • Frontend rendering in associations and media manager.

After updating, monitor logs for any lingering PHP 8.x+ warnings.

Google AdInline article slot

Key Takeaways

  • Six CVE-like vulnerabilities in core: SQLi, XSS, ACL, and file delete.
  • Admin stabilization: icons, modals, placeholders.
  • Backend fixes: scheduler, MailHelper, TinyMCE in Firefox.
  • Mandatory update for all 5.x/6.x LTS branches.

— Editorial Team

Advertisement 728x90

Read Next