Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

joomla\!

Source -

NVDADP

CNA CVEs -

0

ADP CVEs -

2

CISA CVEs -

0

NVD CVEs -

643
Related CVEsRelated VendorsRelated AssignersReports
643Vulnerabilities found

CVE-2026-48952
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:33
Updated-09 Jul, 2026 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260706] - XSS in com_installer

Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48947
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.65%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:32
Updated-09 Jul, 2026 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48958
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 17.69%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:32
Updated-09 Jul, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48950
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:31
Updated-09 Jul, 2026 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260704] - XSS in com_templates

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48955
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.94%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:31
Updated-09 Jul, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260709] - Incorrect Access Control in com_workflow

An improper access check allows unauthorized users to access workflow stage and transition information.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48956
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 6.34%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:31
Updated-09 Jul, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260710] - Incorrect Access Control in com_modules

An improper access check allows users to display a list of modules in the frontend.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48957
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 15.10%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:30
Updated-09 Jul, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260711] - Incorrect Access Control in com_privacy webservice endpoints

An improper access check allows unauthorized users to access com_privacy datasets.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48951
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:30
Updated-09 Jul, 2026 | 13:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260705] - XSS in various modalreturn layouts

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48953
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:30
Updated-09 Jul, 2026 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260707] - XSS in the generic image output layout

Lack of escaping leads to an XSS vulnerability in the generic image output layout.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48948
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 15.10%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:29
Updated-09 Jul, 2026 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48949
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:29
Updated-09 Jul, 2026 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260703] - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48954
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.37%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:29
Updated-09 Jul, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260708] - XSS through language overrides

Improper validation leads to a generic XSS vector in the language override feature.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-35221
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 23.02%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:46
Updated-27 May, 2026 | 13:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-48903
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 4.07%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:46
Updated-27 May, 2026 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code.

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! Framework Filter package
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48896
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.30% / 21.61%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-28 May, 2026 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260511] - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-287
Improper Authentication
CVE-2026-35220
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-4.6||MEDIUM
EPSS-0.10% / 1.21%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-27 May, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260505] - CSRF in user activation endpoint

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-40383
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.41%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-27 May, 2026 | 12:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260509] - LFI in HTMLView layout parameter

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-35222
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 23.02%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-05 Jun, 2026 | 07:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40384
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.45% / 36.00%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-28 May, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-48905
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 4.08%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:45
Updated-27 May, 2026 | 09:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code.

Lack of input filtering leads to an XSS vector in the HTML filter code.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! Framework Filter package
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48897
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.21% / 11.42%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:44
Updated-28 May, 2026 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260512] - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-287
Improper Authentication
CVE-2026-25901
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.19%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:44
Updated-27 May, 2026 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260502] - XSS in com_associations

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48899
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 14.31%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:44
Updated-27 May, 2026 | 09:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins

An improper access check allows privilege escalation through the com_users batch task.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48900
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 5.01%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-27 May, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler

An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48902
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 8.80%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-05 Jun, 2026 | 07:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-35223
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.6||HIGH
EPSS-0.35% / 27.02%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-28 May, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints

An improper access check allows unauthorized access to com_config webservice endpoints.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-25900
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.19%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-27 May, 2026 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260501] - XSS in feed modules

Lack of output escaping leads to a XSS vector in the feed modules.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48904
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.29% / 21.14%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-27 May, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-30895
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.19%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-27 May, 2026 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260504] - XSS in readmore links

Lack of output escaping leads to a XSS vector in the readmore links for com_content.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48898
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.27% / 18.61%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:42
Updated-27 May, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260513] - Privilege escalation through com_users batch task

An improper access check allows privilege escalation through the com_users batch task.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-30894
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.19%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:42
Updated-05 Jun, 2026 | 07:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260503] - XSS in com_contenthistory

Lack of output escaping leads to a XSS vector in the content history component.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-48901
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.24% / 15.65%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:42
Updated-05 Jun, 2026 | 07:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects

The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-524
Use of Cache Containing Sensitive Information
CVE-2026-21630
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 26.36%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260302] - SQL injection in com_content articles webservice endpoint

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-23898
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.6||HIGH
EPSS-0.45% / 36.65%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-73
External Control of File Name or Path
CVE-2026-21629
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.3||MEDIUM
EPSS-0.25% / 16.23%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260301] - ACL hardening in com_ajax

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-23899
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-8.6||HIGH
EPSS-0.40% / 32.45%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260306] - Improper access check in webservice endpoints

An improper access check allows unauthorized access to webservice endpoints.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-21631
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 12.05%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260303] - XSS vector in com_associations comparison view

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-21632
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.19% / 8.77%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 09:03
Updated-09 Apr, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260304] - XSS vectors in various article title outputs

Lack of output escaping for article titles leads to XSS vectors in various locations.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-63082
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.18% / 7.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 16:01
Updated-30 Jan, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260101] - Inadequate content filtering for data URLs

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-63083
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-5.9||MEDIUM
EPSS-0.18% / 7.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 16:01
Updated-30 Jan, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260102] - XSS vector in the pagebreak plugin

Lack of output escaping leads to a XSS vector in the pagebreak plugin.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25226
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.60%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 16:24
Updated-04 Jun, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! Framework
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25227
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.56%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 16:24
Updated-04 Jun, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20250402] - Joomla Core - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-287
Improper Authentication
CVE-2024-40749
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.76%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 16:22
Updated-04 Jun, 2025 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20250103] - Core - Read ACL violation in multiple core views

Improper Access Controls allows access to protected views.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2024-40747
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 15.88%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 16:22
Updated-04 Jun, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20250101] - Core - XSS vectors in module chromes

Various module chromes didn't properly process inputs, leading to XSS vectors.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-40748
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.41% / 33.26%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 16:22
Updated-04 Jun, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20250102] - Core - XSS vector in the id attribute of menu lists

Lack of output escaping in the id attribute of menu lists.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27185
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-9.1||CRITICAL
EPSS-0.44% / 35.75%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 16:03
Updated-04 Jun, 2025 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20240802] - Core - Cache Poisoning in Pagination

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

Action-Not Available
Vendor-joomial_projectJoomla!
Product-joomla\!Joomla! CMSjoomial_cms
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2024-27186
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.62%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 16:03
Updated-04 Jun, 2025 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20240803] - Core - XSS in HTML Mail Templates

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27184
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 14.98%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 16:03
Updated-04 Jun, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20240801] - Core - Inadequate validation of internal URLs

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-40743
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.62%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 16:03
Updated-04 Jun, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20240805] - Core - XSS vectors in Outputfilter::strip* methods

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27187
Assigner-Joomla! Project
ShareView Details
Assigner-Joomla! Project
CVSS Score-7.5||HIGH
EPSS-0.35% / 27.73%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 16:03
Updated-04 Jun, 2025 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20240804] - Core - Improper ACL for backend profile view

Improper Access Controls allows backend users to overwrite their username when disallowed.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMSjoomla\!
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 12
  • 13
  • Next