#JUGL meetings are held on the 3rd Tuesday of each month


  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.9.2
  • Exploit type: Object Injection
  • Reported Date: 2019-January-18
  • Fixed Date: 2019-February-12
  • CVE Number: CVE-2019-7743


The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2


Upgrade to version 3.9.3


The JSST at the Joomla! Security Centre.

David Jardin (JSST)

Read more

Launch a Full version of Joomla! for FREE (including hosting) Find out More