Skip to main content

Joomla Cms CVE-2026-21631

| EUVDEUVD-2026-17857 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 Joomla
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 10:00 euvd
EUVD-2026-17857
Analysis Generated
Apr 01, 2026 - 10:00 vuln.today
CVE Published
Apr 01, 2026 - 09:03 nvd
MEDIUM 5.9

DescriptionCVE.org

Lack of output escaping leads to a XSS vector in the multilingual associations component.

AnalysisAI

Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.

Technical ContextAI

The vulnerability exists in Joomla CMS's multilingual associations component (com_associations), specifically in the comparison view functionality. CWE-79 identifies the root cause as improper neutralization of input during web page generation, meaning user-controlled data is rendered in HTML/JavaScript context without adequate escaping or encoding. The Joomla framework provides output escaping functions (e.g., HTMLspecialchars, JSON encoding) that should have been applied to multilingual association data before rendering to the browser. The absence of these protections allows attackers to inject arbitrary HTML and JavaScript that executes in the victim's browser session, potentially enabling credential theft, session hijacking, or malware distribution.

RemediationAI

Apply the security patch released by Joomla Project as documented in their security advisory at https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html. The patch addresses output escaping in the com_associations comparison view to prevent XSS injection. If a patched version is not immediately available, disable or restrict access to the multilingual associations component through administrator control panel access controls or web server rules until the patch can be deployed. Ensure all Joomla installations are kept current with security updates and consider implementing Content Security Policy (CSP) headers as a defense-in-depth measure.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-21631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy