Joomla CVEs & Vulnerabilities

20 CVEs affecting Joomla products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

joomla\! 20
CVE-2026-48905MEDIUM

Lack of input filtering leads to an XSS vector in the HTML filter code.

26 May 2026
6.1
CVSS
CVE-2026-48904CRITICAL

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

26 May 2026
9.8
CVSS
CVE-2026-48903MEDIUM

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

26 May 2026
6.1
CVSS
CVE-2026-48902CRITICAL

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

26 May 2026
9.8
CVSS
CVE-2026-48901HIGH

The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

26 May 2026
7.5
CVSS
CVE-2026-48900MEDIUM

An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

26 May 2026
4.3
CVSS
CVE-2026-48899CRITICAL

An improper access check allows privilege escalation through the com_users batch task.

26 May 2026
9.8
CVSS
CVE-2026-48898CRITICAL

An improper access check allows privilege escalation through the com_users batch task.

26 May 2026
9.8
CVSS
CVE-2026-48897HIGH

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

26 May 2026
7.5
CVSS
CVE-2026-48896HIGH

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

26 May 2026
7.5
CVSS
CVE-2026-40384HIGH

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

26 May 2026
7.5
CVSS
CVE-2026-40383CRITICAL

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

26 May 2026
9.8
CVSS
CVE-2026-35223CRITICAL

An improper access check allows unauthorized access to com_config webservice endpoints.

26 May 2026
9.8
CVSS
CVE-2026-35222CRITICAL

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

26 May 2026
9.8
CVSS
CVE-2026-35221CRITICAL

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

26 May 2026
9.8
CVSS
CVE-2026-35220MEDIUM

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

26 May 2026
4.3
CVSS
CVE-2026-30895MEDIUM

Lack of output escaping leads to a XSS vector in the readmore links for com_content.

26 May 2026
6.1
CVSS
CVE-2026-30894MEDIUM

Lack of output escaping leads to a XSS vector in the content history component.

26 May 2026
6.1
CVSS
CVE-2026-25901MEDIUM

Lack of output escaping leads to a XSS vector in the multilingual associations component.

26 May 2026
6.1
CVSS
CVE-2026-25900MEDIUM

Lack of output escaping leads to a XSS vector in the feed modules.

26 May 2026
6.1
CVSS
← PrevPage 1 / 1Next →