April 25, 2017, Joomla released version 3.7, which patches multiple XSS, Information Disclosure and ACL violation vulnerabilities. This update is highly recommended as it also updates the core Joomla PHPMailer Library, which had a Remote Code Execution vulnerability. Because certain Joomla extensions come with their own version of PHPMailer, we recommend that all Joomla Administrators determine the PHPMailer versions used by their extensions and update or disable if vulnerable.
For more information this Joomla update, visit https://developer.joomla.org/security-centre.html.