ByteOS Network

Vulnerability Details :

CVE-2026-35220

Summary

Assigner-Joomla

Assigner Org ID-6ff30186-7fb7-4ad9-be33-533e7b05e586

Published At-26 May, 2026 | 16:45

Updated At-26 May, 2026 | 16:45

Joomla! Core - [20260505] - CSRF in user activation endpoint

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Joomla

Assigner Org ID:6ff30186-7fb7-4ad9-be33-533e7b05e586

Published At:26 May, 2026 | 16:45

Updated At:26 May, 2026 | 16:45

▼CVE Numbering Authority (CNA)

Joomla! Core - [20260505] - CSRF in user activation endpoint

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Affected Products

Vendor

Joomla!

Product

Joomla! CMS

Default Status

unaffected

Versions

Affected

6.0.0-6.1.0

Problem Types

Type	CWE ID	Description
CWE	CWE-352	CWE-352 Cross-Site Request Forgery (CSRF)

Type: CWE

CWE ID: CWE-352

Description: CWE-352 Cross-Site Request Forgery (CSRF)

Metrics

Version	Base score	Base severity	Vector
4.0	4.6	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Version: 4.0

Base score: 4.6

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Impacts

CAPEC ID	Description
CAPEC-62	CAPEC-62 Cross Site Request Forgery

CAPEC ID: CAPEC-62

Description: CAPEC-62 Cross Site Request Forgery

Credits

finder

Sun HuangnSec

References

Hyperlink	Resource
https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint	vendor-advisory

Hyperlink: https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint

Resource:

vendor-advisory

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@joomla.org

Published At:26 May, 2026 | 17:16

Updated At:26 May, 2026 | 17:16

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	4.6	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 4.6

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-352	Primary	security@joomla.org

CWE ID: CWE-352

Type: Primary

Source: security@joomla.org

References

Hyperlink	Source	Resource
https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint	security@joomla.org	N/A

Hyperlink: https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint

Source: security@joomla.org

Resource: N/A

Similar CVEs

4Records found

CVE-2021-26033

Matching Score-6

Assigner-Joomla! Project

View Details

Matching Score-6

Assigner-Joomla! Project

CVSS Score-6.5||MEDIUM

EPSS-0.01% / 0.48%

7 Day CHG~0.00%

Published-26 May, 2021 | 10:22

Updated-25 Feb, 2026 | 05:04

[20210502] - Core - CSRF in AJAX reordering endpoint

An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.

Vendor-Joomla!

Product-joomla\!Joomla! CMS

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2021-26034

Matching Score-6

Assigner-Joomla! Project

View Details

Matching Score-6

Assigner-Joomla! Project

CVSS Score-6.5||MEDIUM

EPSS-0.01% / 0.48%

7 Day CHG~0.00%

Published-26 May, 2021 | 10:22

Updated-25 Feb, 2026 | 05:05

[20210503] - Core - CSRF in data download endpoints

An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.

Vendor-Joomla!

Product-joomla\!Joomla! CMS

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2023-23750

Matching Score-6

Assigner-Joomla! Project

View Details

Matching Score-6

Assigner-Joomla! Project

CVSS Score-6.3||MEDIUM

EPSS-0.01% / 0.52%

7 Day CHG~0.00%

Published-01 Feb, 2023 | 21:12

Updated-29 Mar, 2025 | 04:35

[20230101] - Core - CSRF within post-installation messages

An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

Vendor-Joomla!

Product-joomla\!Joomla! CMS

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2020-35615

Matching Score-6

Assigner-Joomla! Project

View Details

Matching Score-6

Assigner-Joomla! Project

CVSS Score-6.3||MEDIUM

EPSS-0.00% / 0.16%