An issue exists in Joomla! 3.0.0 up to and including 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
joomla joomla\\!