Joomla Astroid Framework security vulnerability: what site owners should do now
Anyone running a Joomla website with the Astroid Framework should take a close look now. The reason is a critical joomla astroid framework vulnerability published under the identifier CVE-2026-21628. According to the known classification, Astroid versions from 2.0.0 to 3.3.10 are affected. The security fix was initially released with version 3.3.11. However, it is advisable to update directly to 3.3.13 or newer.
Why this security vulnerability is so serious
The problem is not merely theoretical. The vulnerability affects an insufficiently secured function in the administration area. As a result, attackers were apparently able to inject files and, in the worst case, execute malicious code on the server. That is exactly what makes such vulnerabilities especially dangerous: it is not just about error messages or minor malfunctions, but about the risk of a complete compromise of the website.
It is also particularly problematic that a simple update may close the vulnerability to new attacks, but it does not automatically clean up a website that has already been compromised. If malicious code has already been uploaded, it may remain active even after the update.
→ View immediate help & process · Request a Quote →
Which websites may be affected
Joomla websites with the Astroid Framework installed in a vulnerable version are at risk. In practical terms, anyone who has not yet updated to a secured version should act immediately. This issue does not only affect outdated test systems or rarely maintained sites; it can also impact live company websites that actively use the framework in their template structure.
Typical signs of an already compromised Joomla site
If a website has already been attacked, there are often certain warning signs. These include, among others:
- unknown or suddenly appearing plugins such as BLPayload, JCachePro or similar names
- suspicious files in the
/administrator/cache/directory - PHP files in unusual locations, for example in
/images/,/tmp/,/cache/or/logs/ - files that look like harmless images or SVGs but actually contain malicious PHP code
- SEO spam, spam URLs, or strange content in the Google index
- unknown administrators or unfamiliar system extensions
Hidden SEO spam in particular is often discovered too late, because the site appears to function normally at first glance while Google has long since indexed spam subpages.
How the attack works through the Astroid vulnerability
The vulnerability CVE-2026-21628 allows attackers to upload files to the server without any authentication. To do so, a CSRF token is retrieved from the publicly accessible Joomla login page and misused for the upload. The typical process:
- A so-called dropper (e.g.
blp_9948.php,blr_6661.phporastroid_poc_[zufällig].php) is uploaded to the/images/directory - The dropper extracts a ZIP archive to
/plugins/system/blpayload/and reads the database credentials fromconfiguration.php - The plugin BLPayload and/or JCachePro is entered directly into the Joomla database - with ordering 9999 (highest priority) so that it is loaded before all other plugins
- The dropper then deletes itself to cover its tracks
JCachePro - the predecessor variant
Before BLPayload, the same vulnerability was already exploited with a plugin called jcachepro (/plugins/system/jcachepro/). The current dropper tries to automatically remove this older variant from the database and file system. In practice, however, both variants were found side by side on compromised websites. So anyone looking for BLPayload should also look for jcachepro.
What to do now
1. Update the Astroid Framework immediately
If the Astroid Framework is used on the website, the installed version should be checked immediately and updated to 3.3.13 or newer. Anyone still using an older version is leaving an unnecessarily high risk open.
2. Do not just update the website; check it technically as well
This is the crucial point: a simple version update is not enough if the attack has already happened. In that case, files, plugins, user accounts, and suspicious changes must be carefully checked.
3. Remove malicious code and backdoors completely
Anyone who finds signs of a compromise should not just delete individual suspicious files. In many cases, backdoors, manipulated system files, or other malicious components are present. Without a thorough cleanup, the site remains insecure despite the update.
4. Change access credentials
After a confirmed or likely compromise, all relevant access credentials should be changed. This includes in particular:
- Joomla admin access
- hosting login
- FTP or SFTP access
- database credentials
- if applicable, linked email accounts or other administrative access
5. Check Google Search Console
If spam content or manipulated pages were served, rankings may already have been affected. Therefore, Google Search Console should be checked for security warnings, indexed spam URLs, unusual pages, and possible issues.
Why many site owners make the crucial mistake
In practice, the same thing often happens: the affected extension is updated, and then the problem is considered solved. That is exactly what is dangerous with a vulnerability like this. The update does close the known attack vector, but it does not automatically remove the consequences of a prior attack. Anyone who wants to be on the safe side must always do both: close the vulnerability and clean the website.
Conclusion
The joomla astroid framework Sicherheitslücke / vulnerability is a serious issue and should not be underestimated. Anyone using Astroid should check the version immediately, update it promptly, and also inspect the website for signs of compromise. Only then can you be sure that not only the cause has been fixed, but also any malicious code that may already have been injected has been removed.
If your Joomla website is already showing signs of suspicious activity or you are unsure whether the installation is affected, the site should be technically checked and professionally cleaned as soon as possible.
Frequently asked questions about the Joomla Astroid Framework security vulnerability / vulnerability
What is the Joomla Astroid Framework security vulnerability?
This refers to the vulnerability CVE-2026-21628 in the Astroid Framework for Joomla. It is classified as critical and, in the worst case, can allow attackers to upload malicious files and execute code on the server.
Which Astroid versions are affected?
According to the known classification, versions 2.0.0 to 3.3.10 are affected. Anything below or up to and including 3.3.10 should therefore be treated as potentially vulnerable.
Is a simple update enough?
No, not necessarily. An update does close the vulnerability to new attacks, but it does not remove any backdoors, spam files, or other malicious code that may already be installed. If the website has already been compromised, a thorough cleanup is also necessary.
Which version should be installed now?
It makes sense to update to 3.3.13 or newer, rather than only to the first fixed version.
How can I tell that my Joomla site has already been hacked?
Typical indicators include unknown plugins, suspicious files in cache or media folders, unauthorized administrators, spam pages in the Google index, or conspicuous PHP files in places where they do not belong.
Further information
- CVE-2026-21628 – GitHub Security Advisory
- Borns IT Blog: Astroid Framework is under attack - including reader reports of attacks at All-Inkl
- Details
- Last Updated: 11 March 2026
