We've rolled out coordinated security patches across Helix Ultimate, Helix 3, and SP Page Builder for Joomla 3 sites. If you're still running Joomla 3, this update matters, whether you're mid-migration or holding steady for now.
Before you jump into the update, let's walk through what to check on your site first.
Check Your Site for Vulnerability
Go through the list below and check the areas that match the vulnerabilities that affect your site:
Open redirect: check for any shared or bookmarked links from your site that redirect to an external domain you don't recognise.
AJAX authorization gaps: look for changes you don't remember making, especially ones that would normally need an admin login, since the missing checks meant some AJAX actions could previously be triggered without proper authorization.
Media/layout/blog path validation: look for files sitting outside their expected folders, or files with names that don't match anything you uploaded.
Missing permission checks (blog image removal, template settings export): check whether any blog images are missing that you didn't delete, and whether your template settings have been exported or downloaded without your knowledge.
Upload validation gap: SVG and ICO files can carry embedded scripts, so check your media manager for either file type, since neither should have been accepted before this fix.
XSS in embeds, galleries, Mega Menu, Layout Builder, font options: look through these areas for content you didn't add, particularly anything that looks like script tags or unfamiliar HTML mixed into text fields.
Frontend article saving: check recently saved articles for unexpected attributes or formatting you didn't set.
Media upload triggering template style import: check your template styles list for entries you don't recognise
Custom icons (SP Page Builder): check your icon library for entries you don't recognize.
Detect Suspicious Files
Be wary of any file in your media, image, and tmp folders that you didn't put there, particularly SVG or ICO files, or any file whose name or extension looks out of place. These are the file types and locations the upload and path validation issues touched.
Before You Update
A few precautions to take before applying the patch, so you can roll back cleanly if anything doesn't behave as expected.
Back up your site and database before making any changes.
Update or reinstall the Joomla core files.
Note down any custom overrides or template edits you've made to Helix Ultimate, Helix, or SP Page Builder files, so you can reapply them if needed.
Initially test the update on a staging site first.
Once you've confirmed everything works on staging, apply the update to your live site.
Helix Ultimate Security for Joomla 3
Today, we released a security patch, v1.0.0, for users running Helix Ultimate on Joomla 3. This is a security-only release, so no other bug fixes are included in this update.
So if you have not yet updated, please do so immediately.
Note: This patch applies to anyone still on Joomla 3, or running a site that can't be upgraded to the latest version right now.
What’s Fixed in Helix Ultimate Security Patch v1.0.0
This patch addresses several security gaps across request handling, media, blog, and menu components. Each fix closes a specific vulnerability without changing how these features work day to day.
Fix: Fixed an open redirect vulnerability and removed internal server paths from error responses.
Fix: Added CSRF token and permission validation for AJAX actions.
Fix: Improved upload validation in the media manager, blocking SVG and ICO files and validating media file paths.
Fix: Fixed path validation for blog files and added a permission check for blog image removal.
Fix: Added a permission check for template settings export.
Fix: Fixed XSS vulnerabilities in Mega Menu, media embeds, and galleries.
What to Do Now
Once you've backed up and tested, here's how to apply the update to your site.
Go to Joomla dashboard > Systems > Install > Extension.
Upload the downloaded .zip file and update your Helix Ultimate.
Helix Ultimate Security Update for Joomla 4, 5 & 6
If you're on Joomla 4, 5, or 6, the security patch for Helix Ultimate was released as v2.2.8. Joomla 4,5 and 6 users can get the Helix Ultimate update here.
Helix 3 Security Update for Joomla 3
Today we also released v1.0.0, a security patch that brings fixes to users still running Helix 3 on Joomla 3. And we recommend you to update immediately.
Note: This patch applies to anyone still on Joomla 3, or running a site that can't be upgraded to the latest version right now.
What to Do Now
Once you've backed up your site and tested the build on a staging site, here's how to apply the update to your site.
Go to Joomla dashboard > Systems > Install > Extension.
Upload the downloaded zip. file to install Helix 3 security patch to your Joomla 3 site.
Note: If you've already applied the previous security update manually to your Joomla 3 site, no further action is needed. This release is only for users who haven't yet completed their update.
We released the SP Page Builder security update for Joomla 3 a while back, but it had to be applied manually. We're now rolling out the same patch which you can install and update through your Joomla extension installer.
Note: This patch applies to anyone still on Joomla 3, or running a site that can't be upgraded to the latest version right now.
Go to Joomla dashboard > Systems > Install > Extension.
Upload the downloaded .zip file to install the SP Page Builder security patch for Joomla 3.
Note: If you've already applied the previous security update manually to your Joomla 3 site, no further action is needed. This release is only for users who haven't yet completed their update.
SP Page Builder Security Update for Joomla 4, 5, and 6
That covers what's fixed, what to check, and how to update. If you're still on Joomla 3, don't wait on this one, apply the patches and keep your site secure. And as usual, if you have any questions or run into difficulties, feel free to reach out to us at This email address is being protected from spambots. You need JavaScript enabled to view it. or post your queries on our forum at www.joomshaper.com/forum.
Sreema
Technical Content Writer
Sreema is a technical content writer at JoomShaper. In her copious free time she enjoys good food with good friends and loves moonlit strolls on the beach!
Hello, when uploading the patch file to my Joomla 3 I get the error:
"Warning
Joomla\CMS\Filesystem\Folder::create: Could not create folder.Path: /domains
Warning: Failed to move file: [TMP]/php4FH4X0 to /domains/bayportlodging.com/public_html[TMP]/helixultimate_j3_security_fixes_v1.0.0.zip"
Hi Mike Lawson,
Could you please check your configuration.php file for $log_path and $tmp_path? Please set the paths correctly if not set. That should resolve error you're seeing.
And if further help is needed, you can always reach out for help in our Forum.
"Warning
Joomla\CMS\Filesystem\Folder::create: Could not create folder.Path: /domains
Warning: Failed to move file: [TMP]/php4FH4X0 to /domains/bayportlodging.com/public_html[TMP]/helixultimate_j3_security_fixes_v1.0.0.zip"
Any ideas how to fix?
Could you please check your configuration.php file for $log_path and $tmp_path? Please set the paths correctly if not set. That should resolve error you're seeing.
And if further help is needed, you can always reach out for help in our Forum.