Joomla 3.6.4, released

Joomla patched two account creation flaw, which is exploited by attackers for hacking activity. The flaw allows a creation of an account with elevated privilege, even if the account registration is disabled. Website owners should check their dashboard for a newly created account and access logs for requests that contain a "task=user.register" pattern.
http://bit.ly/2ePJi5J