Home/ Blog/ Security news/ Article
Blog · Security news

Patched but still defaced: the Helix3 Joomla flaw that hides in your database, not your files

An unauthenticated bug in JoomShaper's Helix3 (CVE-2026-49049) is defacing Joomla sites. It hides in the database, so patching to 3.1.2 alone won't clean it.

Elegant building facade at night above a foundation chamber laced with tangled lines

A Joomla site can be fully patched, pass every file scan, and still greet visitors with a defacement. That is the awkward shape of the campaign now hitting sites built on JoomShaper's Helix3 template framework. The bug behind it, CVE-2026-49049, takes no credentials, and what it plants does not sit on disk where defenders usually hunt. It sits in the database.

Since roughly July 5, 2026, an automated botnet has been rewriting Joomla home pages into a black screen with a skull and one of two signatures: "Hacked by AntonKill" or "Hacked by trenggalek6etar." The researcher who found the flaw, at mySites.guru, and an unrelated Joomla vendor, ChronoEngine, independently walked through the same attack, and a proof-of-concept has since landed on GitHub.

What an anonymous request can do here

Helix3 leaves an AJAX handler task reachable with no authentication or authorization check in front of it. Reach that endpoint and you can erase files, drop JSON files of your choosing onto the server, and overwrite the settings that drive a site's template. The National Vulnerability Database scores it 7.5 and marks it integrity-only: no data theft, no outage, but full control over what the page renders. For a defacement crew, that is the entire toolkit.

ItemDetail
CVECVE-2026-49049
ProductJoomShaper Helix3 template framework for Joomla
SeverityCVSS 7.5, unauthenticated, integrity impact
Flaw classImproper access control, CWE-284
AffectedHelix3 1.0 through 3.1.1
Fixed in3.1.2 (both Helix3 plugins: framework and Ajax)
DisclosedJune 29, 2026
ExploitationActive since about July 5, 2026, automated defacement botnet
PersistenceDatabase, not filesystem
Sources: NVD; JoomShaper; mySites.guru; ChronoEngine.

Both write-ups also flag a quieter version of the attack. Rather than the skull page, some hijacked sites serve a bogus reCAPTCHA prompt wired to a crypto wallet drainer, turning the visit into money instead of a trophy. A Helix3 site that looks normal is not automatically a site that got passed over.

Why your file scan keeps saying the site is clean

This is the part the fast coverage skims, and it decides whether your cleanup actually holds. The botnet plants no webshell and edits no template file. It writes its JavaScript into Joomla's database, into the settings Helix3 keeps for each template style. In a stock install those settings live as a JSON blob on the template-styles row, in the custom-code fields a site owner would normally fill with an analytics snippet: custom JavaScript, custom CSS, the before-head slot. From there the script fires on every page view.

Filesystem malware scanners, file-integrity monitoring, and rule-based file checks will all wave the site through, because not a single byte on disk moved. The defacement is one row in a table. It is also why reinstalling the Helix3 files changes nothing: you swap out code that was never touched while the real payload keeps sitting in the database.

So the hunt is a query, not a scan. On a site you control, read back the stored template-style settings and look for markup you never added, a stray script tag or a DOM write:

`SELECT id, title FROM jos_template_styles WHERE params LIKE '% Any row that comes back carrying injected code is a compromise you can trust over any scanner's all-clear.

Patching to 3.1.2 is half the job

Two things about the fix catch people out. The first is the number. JoomShaper pushed 3.1.1 on June 29, the day of disclosure, but that build did not fully shut the flaw, and NVD still lists 3.1.1 among the affected versions. The release you want is 3.1.2 or later. The second is that Helix3 is not one plugin but two. Both have to reach 3.1.2: the framework one, which Joomla lists as System - Helix3 Framework, and its companion, the Helix3 - Ajax plugin. Upgrade one and forget the other and the endpoint stays open.

Handle it as two jobs, not one:

  • Get both of the Helix3 plugins onto 3.1.2, or a later build, to stop fresh injection.
  • Then clear what already landed: strip the rogue script out of the stored template-style settings and put back any configuration the attacker rewrote.
  • Sweep /tmp, your media directories, and the template folders for leftovers, since the same flaw can also drop stray JSON files and delete legitimate ones.

If a site sat reachable and unpatched anywhere between early July and the moment you updated, treat it as hit and check the database before you sign it off.

The Joomla add-on layer keeps being the way in

This is the third Joomla extension flaw in recent weeks that earns an urgent patch, and the shape does not change: the core platform holds, and the intruders come in through the add-ons. Only last week CISA tagged two page builders, one of them JoomShaper's own SP Page Builder, as actively exploited for takeover, and shortly before that an unauthenticated hole in the JCE editor was being turned into webshells on live hosts. Different component each time, same entry strategy. If you run Joomla, how fast you patch extensions counts for more than how fast you patch core, and your response checklist needs a database step, because the next one may live there too.

Frequently asked questions

What is CVE-2026-49049 in Helix3 for Joomla?

It is an improper access control flaw in JoomShaper's Helix3 template framework for Joomla. An exposed AJAX handler runs without authentication, letting an anonymous attacker delete files, write JSON files, and change template parameters. It is rated CVSS 7.5 and is being actively exploited to deface sites.

Which Helix3 versions are affected and what is the fix?

Helix3 versions 1.0 through 3.1.1 are affected. The fix is version 3.1.2 or newer. The 3.1.1 release on June 29, 2026 did not fully close the flaw, so update to 3.1.2, and update both the Helix3 Framework plugin and the Helix3 Ajax plugin.

Why does my Joomla site still look hacked after I updated Helix3?

Because the attack stores its code in the database, not in files. Updating or reinstalling the Helix3 plugin replaces files that were never modified, while the injected script stays in the template style parameters. You have to remove that database entry separately to clean the site.

How do I tell if my Joomla site was defaced through Helix3?

Check the database rather than the filesystem. Read the template style parameters (the params column of the template styles table) for script tags or DOM-writing code you did not add. Visible signs include a skull page tagged AntonKill or trenggalek6etar, or a fake reCAPTCHA and wallet-drainer prompt.

Is CVE-2026-49049 being exploited in the wild?

Yes. Since about July 5, 2026 an automated botnet has been defacing Joomla sites running vulnerable Helix3 versions, and a proof-of-concept is now public on GitHub. Two independent Joomla security sources have documented the campaign. Treat any reachable, unpatched Helix3 site as likely compromised.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.