- [20191002] - Core - Path Disclosure in phpuft8 mapping files
- [20191001] - Core - CSRF in com_template overrides view
- [20190901] - Core - XSS in logo parameter of default templates
- [20190801] - Core - Hardening com_contact contact form
- [20190701] - Core - Filter attribute in subform fields allows remote code execution
- [20190603] - Core - ACL hardening of com_joomlaupdate
- [20190602] - Core - XSS in subform field
- [20190601] - Core - CSV injection in com_actionlogs
- [20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor
- [20190501] - Core - XSS in com_users ACL debug views