On March 11, 2025 the Joomla! Security Strike Team released security announcement 20250301 along with updates for Joomla 4 and 5. The threat has been described as follows:
Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.
Reported Impacted Versions: 4.0.0-4.4.11 / 5.0.0-5.2.4
Joomla 3 Threat Analysis: This issue does not impact Joomla 3 versions. The Joomla 3 media manager is verified to block unsafe/unsupported media uploads.