Joomla Astroid Framework security vulnerability: What site operators should do now
Anyone running a Joomla website with the Astroid Framework should take a close look now. The reason is a critical joomla astroid framework security vulnerability / vulnerability, which are under the identifier CVE-2026-21628 was published. According to the current classification, Astroid versions from 2.0.0 to 3.3.10The security fix was initially implemented with version 3.3.11 However, it makes more sense to update directly to 3.3.13 or newer to update.
Why this security vulnerability is so serious
This problem is not merely theoretical. The vulnerability affects an insufficiently secured function in the administration area. As a result, attackers were apparently able to upload files and, in the worst case, execute malicious code on the server. That is exactly what makes vulnerabilities like this especially dangerous: it is not just about error messages or minor malfunctions, but the risk of a complete compromise of the website.
It is also particularly problematic that a simple update closes the vulnerability for new attacks, but does not automatically clean an already compromised website. If malicious code has already been uploaded, it may remain active even after the update.
→ View immediate help & process · Request a Quote →
Which websites may be affected
At risk are Joomla websites on which the Astroid Framework is installed in a vulnerable version. In practical terms, this means: if you have not yet updated to a secured version, you should act urgently. This issue does not only affect outdated test systems or rarely maintained sites, but can also impact live business websites that actively use the framework in their template setup.
Typical signs of an already compromised Joomla site
If a website has already been attacked, there are often certain warning signs. These include, among others:
- unknown or suddenly appearing plugins such as BLPayload, JCachePro or similar names
- suspicious files in the directory
/administrator/cache/ - PHP files in unusual locations, for example in
/images/,/tmp/,/cache/or/logs/ - files that look like harmless images or SVGs, but actually contain malicious PHP code
- SEO spam, spam URLs, or strange content in the Google index
- unknown administrators or unfamiliar system extensions
Hidden SEO spam in particular is often discovered late because the site appears to function normally at first glance, while Google has already indexed spam subpages.
How the attack works via the Astroid vulnerability
The CVE-2026-21628 vulnerability allows attackers to upload files to the server without any authentication. To do this, a CSRF token is captured from the publicly accessible Joomla login page and misused for the upload. The typical process:
- A so-called dropper (e.g.
blp_9948.php,blr_6661.phporastroid_poc_[zufällig].php) is uploaded into the/images/directory - The dropper extracts a ZIP archive to
/plugins/system/blpayload/and reads the database credentials fromconfiguration.php - The plugin BLPayload and/or JCachePro is inserted directly into the Joomla database – with ordering 9999 (highest priority), so that it is loaded before all other plugins
- The dropper then deletes itself to cover its tracks
JCachePro – the predecessor variant
Before BLPayload, the same vulnerability had already been exploited using a plugin called jcachepro exploited (/plugins/system/jcachepro/). The current dropper attempts to automatically remove this older variant from the database and file system. In practice, however, both variants have been found side by side on compromised websites. Anyone searching for BLPayload should therefore also look for jcachepro as well.
What to do now in concrete terms
1. Update Astroid Framework immediately
If the Astroid Framework is used on the website, the installed version should be checked immediately and updated to 3.3.13 or newer should be updated. Anyone still working with an older version is leaving an unnecessarily high risk exposed.
2. Do not just update the website, but technically inspect it as well
This is exactly the crucial point: A simple version update is not enough if the attack has already taken place. In that case, files, plugins, user accounts, and suspicious changes must be checked carefully.
3. Completely remove malware and backdoors
Anyone who discovers signs of a compromise should not just delete individual suspicious files. In many cases, backdoors, manipulated system files, or other malicious components are present. Without a thorough cleanup, the site remains insecure despite updates.
4. Change access credentials
After a confirmed or likely compromise, all relevant access credentials should be changed. This includes in particular:
- Joomla admin logins
- Hosting login
- FTP or SFTP access credentials
- Database credentials
- if applicable, connected email accounts or other administrative access credentials
5. Check Google Search Console
If spam content or manipulated pages have been served, rankings may already have been affected. That is why Google Search Console should be checked for security warnings, indexed spam URLs, unusual pages, and possible issues.
Why many site owners make the crucial mistake
In practice, the same thing often happens: The affected extension is updated, and the problem is then considered solved. That is exactly what makes this type of vulnerability dangerous. The update closes the known attack path, but it does not automatically remove the consequences of an earlier attack. Anyone who wants to be on the safe side must always do both: Close the vulnerability and clean the website.
Conclusion
The joomla astroid framework security vulnerability / vulnerability is a serious issue and should not be underestimated. Anyone using Astroid should check the version immediately, update it promptly, and also inspect the website for signs of compromise. Only then can you ensure that not only the cause has been fixed, but that any malicious code already injected has also been removed.
If your Joomla website is already showing suspicious behavior or you are unsure whether the installation is affected, the site should be technically inspected and professionally cleaned without delay.
Frequently asked questions about the Joomla Astroid Framework security vulnerability / vulnerability
What is the Joomla Astroid Framework security vulnerability?
This refers to the vulnerability CVE-2026-21628 in the Astroid Framework for Joomla. It is classified as critical and, in the worst case, can allow attackers to upload malicious files and execute code on the server.
Which Astroid versions are affected?
According to the known classification, the affected versions are 2.0.0 to 3.3.10. Anything below that, or up to and including 3.3.10, should therefore be treated as potentially vulnerable.
Is a simple update enough?
No, not necessarily. An update closes the vulnerability for new attacks, but it does not remove any backdoors, spam files, or other malicious code that may already be installed. If the website has already been compromised, a thorough cleanup is also required.
Which version should be installed now?
A sensible choice is to update to 3.3.13 or newer, rather than updating only to the first patched version.
How can I tell if my Joomla site has already been hacked?
Typical signs include unknown plugins, suspicious files in cache or media folders, unfamiliar administrators, spam pages in the Google index, or suspicious PHP files in places where they do not belong.
Further information
- CVE-2026-21628 – GitHub Security Advisory
- Born's IT Blog: Astroid Framework is under attack - including reader reports of attacks at All-Inkl
- Details
- Last Updated: 11 March 2026
