Joomla! Vulnerable Extensions List

Download
Demo
PHP Mailer Vulnerability - Morals or Money - Joomla Quickstart packages are a danger? - The Vulnerable Extensions List team is looking for new members. - Users registering without a registration form being published - What Does A Security Release Notice Look Like? - The Perils of the Default Settings - Responsible disclosure - VEL API /JSON released

The Joomla Project recently released a security advisory regarding the PHP Mailer library. Please read the announcement for further details. Some extensions also include their own versions of vulnerable library, and developers of the relevant extensions are urged to release updates as soon as possible.

The VEL will be maintaining a list of extensions affected by the issue. Users of the affected extensions are strongly advised to update. To be clear, inclusion on the list simply means that the extension includes the vulnerable library, not that an exploit exists, you should contact the developer if you have any questions.

Please check with the extension publisher in case of any questions over the security of their product.

How to use this site

All known vulnerable extensions are the listed in the LIVE VEL section

This list is compiled from found information and may not be an up to date accurate list

  • We do NOT promise to test or validate these reports.
  • We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here.
  • We do not list BETA products, or extensions for J1.0.x or J1,5,x.

How to report a suspected Vulnerable Extension.


Select the Vulnerability Reporting Link

 

 

 

Developers - How to get yourself RESOLVED on the VEL

Please solve the issues and:

 

To have your extension marked as resolved, please follow these steps:

 

  1. Contact the VEL team* with a notice of resolution, the latest version number and a link to the security release statement on your website. (Please read this article for further information on making a security release notice).
  2. Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page

JVEL contact details  and the JED support link is in your notice of "unpublication"

  • If not JED listed.

Inform us with a notice of resolution, the latest version number and a link to the security release statement on your website.

 * a developer must use the update form for notice of resolution