The Joomla! Project is pleased to announce the release of Joomla 6.1.1 and Joomla 5.4.6. These are security & bugfix releases for the Joomla 5.x and 6.x series.

These releases continue Joomla’s high standards in accessible web design, highlighting Joomla's values of inclusiveness, simplicity and security into an even more powerful open-source web platform.

Security fixes

• [20260501] - Core - XSS in feed modules
• [20260502] - Core - XSS in com_associations
• [20260503] - Core - XSS in com_contenthistory
• [20260504] - Core - XSS in readmore links
• [20260505] - Core - CSRF in user activation endpoint
• [20260506] - Core - Authenticated blind SQLi in com_finder
• [20260507] - Core - Authenticated blind SQLi in com_tags
• [20260508] - Core - Improper access check in com_config webservice endpoints
• [20260509] - Core - LFI in HTMLView layout parameter
• [20260510] - Core - Path traversal in com_media webservice endpoint
• [20260511] - Core - MFA Authentication Bypass
• [20260512] - Core - MFA Authentication Bypass
• [20260513] - Core - Privilege escalation through com_users batch task
• [20260514] - Core - Privilege escalation through com_users webservice endpoints
• [20260515] - Core - Incorrect Access Control in sample data plugins
• [20260516] - Core - Incorrect Access Control in com_scheduler
• [20260517] - Core - Incorrect Cache Key Construction for InputFilter objects 
• [20260518] - Core - Transport encryption downgrade for password and username reset links
• [20260519] - Framework - Inadequate content filtering within the checkAttribute filter code 
• [20260520] - Framework - Inadequate content filtering within the cleanAttributes filter code 

Bug fixes and improvements

The following bug fixes are included in Joomla! 6.1.1 and Joomla! 5.4.6 (all 5.4 bug fixes are also up-merged into 6.1):

• #45145 [5.4] Bug fix : incorrect error thrown while renaming file by @hiteshm0
• #47307 [5.4] Fix accessibility issue with Back-to-Top link by @ankushx01-dev
• #47413 [5.4] Prevent misleading save failure when mail notification fails by @krishnagandhicode
• #47423 [5.4] Improve substring search in Fancy Select by @adarshdubey03
• #47476 [5.4] Add missing page parameter to contentEventArguments - Article Module by @LadySolveig
• #47480 [5.4] Fix incorrect bind parameter key in Category HTML helper by @janschoenherr
• #47533 [5.4] Fix ECB mode validation typo in OpenSSL AES adapter and align related docs by @mateeaaa
• #47546 [6.1] Show preselected value in fancy select by @krishnagandhicode
• #47557 [6.1] Catch punycode conversion exceptions to prevent crash by @hiteshm0
• #47565 [5.4] Attachments are a list of objects by @laoneo
• #47574 [6.1] override background colour of .is-selected class in dark mode by @hiteshm0
• #47586 [5.4] Fix Category Custom Fields Loading by @CSGoat0
• #47590 [5.4] Fix deletion of update archive after core autoupdate by @SniperSister
• #47599 [6.1] Make collapsible default menu overridable by @drmenzelit
• #47601 [6.1] Fix: Debug plugin crash with Query Explain on AJAX requests by @hiteshm0
• #47602 [6.1] Add AJAX error message scripts for improved menu item editing feedback by @brianteeman
• #47604 [5.4] Replace tags when converting from html to plain body by @laoneo
• #47616 [5.4] Add translate format so that the last check time of the auto updater is actually shown by @zero-24
• #47617 [6.1] Fix missing closing angle bracket for fieldset in repeatable layout by @iteidrm
• #47640 [6.1] Fix publishing fields not shown on create article form by @joomdonation
• #47642 [5.4] Correct aria-posinset to start from 1 [a11y] by @brianteeman
• #47644 [5.4] Missing table column header [a11y] by @brianteeman
• #47646 [6.1] Prevent fatal error when getTemplate method is called in API application by @joomdonation
• #47650 [5.4] Fix RTL toolbar dropdown alignment in admin by @krishnagandhicode
• #47653 [5.4] Language Installation Info [a11y] by @brianteeman
• #47659 [6.1] Fix default value for save_history in com_modules by @chmst
• #47661 [6.1] fix TinyMCE menu bar visibility in fullscreen mode by @adarshdubey03
• #47686 [6.1] Fix clear button not resetting calendar filters by @adarshdubey03
• #47694 [6.1] Only show version history in FormView if version history is supported by @joomdonation
• #47697 [5.4] Move mod_menu language load after client_id resolution in ItemsModel by @krishnagandhicode
• #47715 [6.1] Cassiopeia - Correct z-index select field by @drmenzelit
• #47729 [5.4] Light mode: dismiss button by @brianteeman
• #47731 [5.4] Child template name check only template type by @alikon
• #47735 [5.4] Fix Article Version Preview For Authors by @CSGoat0
• #47775 [6.1] Add color variable for disabled field (choicesjs) by @drmenzelit

The full list of Pull Requests for Joomla! 6.1.1 on GitHub is available here: https://github.com/joomla/joomla-cms/milestone/162?closed=1

The full list of Pull Requests for Joomla! 5.4.6 on GitHub is available here: https://github.com/joomla/joomla-cms/milestone/161?closed=1

Where can I download Joomla 6.1.1?

You can find all Joomla 6 downloads through the official downloads page at: https://downloads.joomla.org/cms/joomla6/ 

New Installations

New installation instructions and technical requirements

Install 6.1.1

Upgrade

Upgrade 6.1.1

Would you like to make a tour of Joomla 6 without having to install it? We have a solution for you: Install Joomla 6 at launch.joomla.org and update it (automatically).

Where can I download Joomla 5.4.6?

Packages in different formats can be downloaded as full packages for installing new Joomla Sites or as update packages for updating an existing Joomla site from:

https://downloads.joomla.org/cms/joomla5/5-4-6 

How can I upgrade my site to Joomla 6.1.1?

Good news for Joomla 5.4.x to 6.x, it’s an upgrade, not a migration. Why? Two main reasons:

1. Joomla 5 (J5) extensions that have removed all deprecations of code and are using up-to date Joomla code, will work in Joomla 6 (J6)

2. Most others will work with the new Behaviour 6 - Backward Compatibility Plugin enabled

The full details are found here: https://guide.joomla.org/user-manual/migration/joomla-5-to-6-planning-and-upgrade-step-by-step

Note: we advise you to first test the upgrade on a copy of your production site.

You may also wonder if you have to upgrade ASAP. We’ll support Joomla 5.4.x until 13 October 2026 with bugfix patches and until 12 October 2027 with security patches. So your site is not at risk if you don’t upgrade now. And don’t forget that some of your extensions may not be yet ready for Joomla 6 (even though most developers have done a great job offering a Joomla 6 test version for a while. You can filter by version in the Joomla Extensions Directory so you can see which are ready for J6 and which are J6 ready with the b/c plugin enabled.

Who is Joomla! for?

Web agencies, large and small companies, online shops, bloggers, communities, and all kinds of organizations (for example, NGOs, schools, charities and governments) all use Joomla as their preferred CMS.

Joomla is written by committed volunteers. Many of those volunteers use it in their everyday web design, building and hosting. So, unlike many other systems, Joomla is built by those using it on a daily basis. That is reflected in its secure, robust nature.

Is there help for extension developers with Joomla 6?

Yes, a growing manual is aimed at those who code and maintain their extensions. The manual can be found at https://manual.joomla.org/migrations/54-60/ and is a growing work to help developers get ahead of any changes.

How can you help develop Joomla?

There are a variety of ways in which you can get actively involved with Joomla. It doesn't matter if you are a coder, an integrator, or a user of Joomla. You can join the community on Mattermost and look through the teams to join, or if you are ready, you can jump right into the Joomla! Bug Squad.

The Joomla Bug Squad and the CMS Release Team are some of the most active teams in the CMS development process and are always looking for people (not just developers) who can help with sorting bug reports, coding patches and testing solutions. It is a great way to increase your working knowledge of the Joomla code base and also a great way to meet new people from all around the world.

You can also help Joomla development by thanking those involved in the many areas of the process. The Project also wants to thank all the contributors who have taken the time to prepare and submit work to be included in the Joomla CMS and Framework.

Where can I find documentation about Joomla 6?

The primary source for user documentation is guide.joomla.org. Developer documentation can be found at https://manual.joomla.org.

The documentation team is always looking for extra hands to help improve documentation. If you like to contribute please have a look at the Jobs To-Do and contact the documentation team on their mattermost channel (PD Documentation)

Related information

If you are an extension developer, please make sure you subscribe to the extension developer channel https://joomlacommunity.cloud.mattermost.com/main/channels/extension-development-room

Where you can join the community of extension developers.

• Filing bugs and issues
• General developer mailing list
• Joomla developer network

A Huge Thank You to Our Volunteers!

Joomla 6.1.1 results from thousands of hours of work by dozens of volunteers. A big thank you to everyone who contributed to Joomla 6.1.1! Full details are on GitHub.

Joomla 5.4.6 is the product of countless hours of dedication from our volunteer community. Our sincere thanks go to everyone who helped make Joomla 5.4.6 possible. You can find the complete list of changes on GitHub.

Thank you all.

Translations

Dutch: Veiligheids en bug-fix release Joomla 6.1.1 en 5.4.6
French: Joomla 6.1.1 et 5.4.6 Securité et correction de bugs
German: Joomla! 6.1.1 und Joomla! 5.4.6 als Sicherheits- und Bugfix-Release veröffentlicht
Italian: Joomla!® 6.1.1 & 5.4.6 — Rilascio Sicurezza e Correzione Bug
Russian: Вышли релизы безопасности Joomla 6.1.1 и Joomla 5.4.6
Turkish: Joomla 6.1.1 ve 5.4.6 Güvenlik ve Hata Düzeltme Sürümü Yayınlandı