Joomla!

v6.1.1 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 8d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

cms content-management joomla multilingual-websites php php-cms

+1 more

website-builder

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 8d

Update phpseclib/phpseclib to version 3.0.52 to address a high‑severity security vulnerability.

Why it matters: The release fixes one high‑severity CVE in the widely used phpseclib dependency; upgrading is required for affected projects.

Summary

AI summary

Broad release touches 👀 Release information, https://docs.joomla.org/How_to_determine_a_package_checksum, tar.zst, and zip.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Update phpseclib/phpseclib to 3.0.51 fixing one low and one high severity security vulnerability. Update phpseclib/phpseclib to 3.0.51 fixing one low and one high severity security vulnerability. Source: llm_adapter@2026-05-26 Confidence: high	—
Security	Critical	Update phpseclib/phpseclib to 3.0.52 fixing one high severity security vulnerability. Update phpseclib/phpseclib to 3.0.52 fixing one high severity security vulnerability. Source: llm_adapter@2026-05-26 Confidence: high	—
Security	High	Update npm indirect development dependencies fixing 3 security vulnerabilities. Update npm indirect development dependencies fixing 3 security vulnerabilities. Source: llm_adapter@2026-05-26 Confidence: high	—
Security	High	Update joomla/oauth2 to 4.0.2 fixing OAuth2Client authentication issues. Update joomla/oauth2 to 4.0.2 fixing OAuth2Client authentication issues. Source: llm_adapter@2026-05-26 Confidence: low	—
Feature
Feature	Low	Add AJAX error message scripts for improved menu item editing feedback. Add AJAX error message scripts for improved menu item editing feedback. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Show preselected value in fancy select component. Show preselected value in fancy select component. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Feature	Low	Make collapsible default menu overridable. Make collapsible default menu overridable. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Feature	Low	Add color variable for disabled field (choicesjs). Add color variable for disabled field (choicesjs). Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Feature	Low	Override background colour of .is-selected class in dark mode. Override background colour of .is-selected class in dark mode. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix clear button not resetting calendar filters. Fix clear button not resetting calendar filters. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix missing closing angle bracket for fieldset in repeatable layout. Fix missing closing angle bracket for fieldset in repeatable layout. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Prevent fatal error when getTemplate method is called in API application. Prevent fatal error when getTemplate method is called in API application. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix TinyMCE menu bar visibility in fullscreen mode. Fix TinyMCE menu bar visibility in fullscreen mode. Source: llm_adapter@2026-05-26 Confidence: low	—
Bugfix	Medium	Fix publishing fields not shown on create article form. Fix publishing fields not shown on create article form. Source: llm_adapter@2026-05-26 Confidence: low	—
Bugfix	Low	Add missing string COM_USERS_COMPLETE. Add missing string COM_USERS_COMPLETE. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Correct z-index select field in Cassiopeia template. Correct z-index select field in Cassiopeia template. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Show version history only if supported in FormView. Show version history only if supported in FormView. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Fix default value for save_history in com_modules. Fix default value for save_history in com_modules. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Add translate format for auto updater last check time display. Add translate format for auto updater last check time display. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Fix pin SHA in ci.yml file. Fix pin SHA in ci.yml file. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Catch punycode conversion exceptions to prevent crash. Catch punycode conversion exceptions to prevent crash. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	Fix Debug plugin crash with Query Explain on AJAX requests. Fix Debug plugin crash with Query Explain on AJAX requests. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

👀 Release information

💁 11+ contributors
🧰 22+ Pull Requests has been merged
⬆️ New migration guide
📖 New developer documentation
🌎 Release page
👀 Full Changelog

🚀 Download information

[!NOTE]
Userfacing information about this Joomla! release can be found on the release page

🔥 Installation Packages

| New Joomla! Installations | SHA-256 Checksums |
|---------------------------|-------------------|
| ZIP Archive (.zip) | bc27840f38687da105dc5f8a00f94f688b46526379f075fc67020c8d1d8d6e7a |
| GNU Zip Archive (.tar.gz) | 6174d99a3485d858707040345a7470a08efbaa02a67178d8029aadf3af212129 |
| Zstandard Archive (.tar.zst) | 14fa56479fb2d477bdd621f7e74da8e4c8affc33baef8ae07aedfa711d5b9d09 |

Additional and a second source of checksums can be found at our official download page. If you need further information on how to validate a release package please visit our documentation.

✒️ Upgrade Packages

[!IMPORTANT]
Don't update directly from a version lower than 5.4 it is important that you first update to 5.4 and then update to 6.x

| Update from a previous version | SHA-256 Checksums |
|--------------------------------|-------------------|
| ZIP Archive (.zip) | 54189e6297f7413e1481f99f688f4ece8b6d4cae255b4d5268ae95820fada361 |
| GNU Zip Archive (.tar.gz) | 3fe31ebb3d5dbd2765540c0fc602c9fecb617e9161c591eee6fefa2c1bfec2b7 |
| Zstandard Archive (.tar.zst) | c3e176c2c7698c25271f0412846f9eed828451abc9fa2d3092dc61fe00e92b82 |

Additional and a second source of checksums can be found at our official download page. If you need further information on how to validate a release package please visit our documentation.

🧹 What has been changed

[6.1] Composer update phpseclib/phpseclib to 3.0.51 to fix one low and one high severity security vulnerability by @richard67 in https://github.com/joomla/joomla-cms/pull/47620
[6.1] NPM update indirect development dependencies to fix 3 security vulnerabilities by @richard67 in https://github.com/joomla/joomla-cms/pull/47622
[6.1] add missing string COM_USERS_COMPLETE by @tecpromotion in https://github.com/joomla/joomla-cms/pull/47695
[6.1] Composer update joomla/oauth2 to 4.0.2 to fix OAuth2Client authentication by @richard67 in https://github.com/joomla/joomla-cms/pull/47722
[6.1] Composer update phpseclib/phpseclib to 3.0.52 to fix one high severity security vulnerability by @richard67 in https://github.com/joomla/joomla-cms/pull/47738
[6.1] Cassiopeia - Correct z-index select field by @drmenzelit in https://github.com/joomla/joomla-cms/pull/47715
[6.1] Only show version history in FormView if version history is supported by @joomdonation in https://github.com/joomla/joomla-cms/pull/47694
[6.1] Fix clear button not resetting calendar filters by @adarshdubey03 in https://github.com/joomla/joomla-cms/pull/47686
[6.1] Fix missing closing angle bracket for fieldset in repeatable layout by @iteidrm in https://github.com/joomla/joomla-cms/pull/47617
[6.1] fix TinyMCE menu bar visibility in fullscreen mode by @adarshdubey03 in https://github.com/joomla/joomla-cms/pull/47661
[6.1] Fix default value for save_history in com_modules by @chmst in https://github.com/joomla/joomla-cms/pull/47659
[6.1] Prevent fatal error when getTemplate method is called in API application by @joomdonation in https://github.com/joomla/joomla-cms/pull/47646
[6.1] Fix publishing fields not shown on create article form by @joomdonation in https://github.com/joomla/joomla-cms/pull/47640
[6.1] Show preselected value in fancy select by @krishnagandhicode in https://github.com/joomla/joomla-cms/pull/47546
[6.1] Add AJAX error message scripts for improved menu item editing feedback by @brianteeman in https://github.com/joomla/joomla-cms/pull/47602
[6.1] Fix: Debug plugin crash with Query Explain on AJAX requests by @hiteshm0 in https://github.com/joomla/joomla-cms/pull/47601
[6.1] override background colour of .is-selected class in dark mode by @hiteshm0 in https://github.com/joomla/joomla-cms/pull/47574
[6.1] Catch punycode conversion exceptions to prevent crash by @hiteshm0 in https://github.com/joomla/joomla-cms/pull/47557
[6.1] Add translate format so that the last check time of the auto updater is actually shown by @zero-24 in https://github.com/joomla/joomla-cms/pull/47591
[6.1] Make collapsible default menu overridable by @drmenzelit in https://github.com/joomla/joomla-cms/pull/47599
[6.1] fix pin SHA in ci.yml by @tecpromotion in https://github.com/joomla/joomla-cms/pull/47772
[6.1] Add color variable for disabled field (choicesjs) by @drmenzelit in https://github.com/joomla/joomla-cms/pull/47775

:technologist: Test contributions

Thank you to all the testers who help us maintain high quality standards and deliver a robust product.

@adarshdubey03 (7), @alikon (3), @BeginnerJoomlaCom (6), @brianteeman (5), @chmst (2), @ChristineWk (1), @cyrez (1), @eddiekonczal (1), @exlemor (3), @hiteshm0 (2), @JLTRY (1), @krishnagandhicode (7), @LadySolveig (1), @laoneo (1), @luX0r-reload (1), @muhme (1), @Ruud68 (1), @tecpromotion (3), @ThomasFinnern (1)

Security Fixes

Composer update phpseclib/phpseclib to 3.0.51 fixes one low and one high severity security vulnerability
Composer update phpseclib/phpseclib to 3.0.52 fixes one high severity security vulnerability
NPM update indirect development dependencies fixes 3 security vulnerabilities

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Joomla!

Get notified when new releases ship.

About Joomla!

Advanced Content Management System (CMS).

All releases →