Most of the work of the VEL involves dealing with the same two vulnerabilities: sql injection and cross-site scripting. They are so common that there are standard methods for preventing them by escaping untrusted input.

Recently we received a more unusual report, from a security researcher, concerning a CSV injection vulnerability in AcyMailing (see https://www.owasp.org/index.php/CSV_Injection). It quickly became apparent that this was a wider issue of insecurities in csv export files rather than one specific to AcyMailing. The problem arises because, when imported into a spreadsheet, some special characters can be interpreted as formulae. In Excel in particular, it is possible for an attacker to run commands on a user's computer, for example opening up other programs such as Windows PowerShell. However Excel is not alone in having vulnerabilities, it may (for example) also be possible to exploit Google Sheets to steal user data through crafted data. The more we looked into it, the more it looked like one big fat can of worms.

Have you seen a vulnerability in a Joomla extension being reported elsewhere, but it is not listed on the VEL?

If so, please report it to the VEL using our reporting form here: https://vel.joomla.org/submit-vel . It only takes a couple of minutes and it gives us an opportunity to investigate. While we do actively monitor other sites we cannot read the entire internet on a daily basis and it really helps if others take the time to do this.

Things not to do:-

  • ignore it
  • post it to boost your ego on Twitter, but do nothing to report it to the VEL

Remember that you are doing a service to the entire Joomla community in ensuring that accurate information is conveyed to users about extension vulnerabilities.

The VEL are happy to announce the release of a JSON-formatted feed of extensions on the VEL live and resolved lists.

The feed and its data are licensed under the GPL, and may be used in any way compatible with the GPL, including being used in commercial plugins. We encourage the development of plugins that can use this data.

You can find out more here.

abandoned trolley

The VEL team have introduced a new listing category for abandon ware, while not always vulnerable to exploits, projects abandoned may in time introduce an entry to exploit websites.


Reporting is easy and consists of a few simple questions. Your Name & Your Email, so we can thank you for your report,  obviously the extension name,  Extension url so we can check it out and also reason you believe its abandoned.
View the abandoned list at https://vel.joomla.org/abandonware and report them via the abandon ware form

We have had reports that extensions from joomla-pro.org may contain malicious code. If anyone has a copy of an extension downloaded from the developers site, please contact us.