Skip to main content

Joomla Cms CVE-2026-21632

| EUVDEUVD-2026-17859 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 Joomla GHSA-w5f8-qggr-8844
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 10:00 euvd
EUVD-2026-17859
Analysis Generated
Apr 01, 2026 - 10:00 vuln.today
CVE Published
Apr 01, 2026 - 09:03 nvd
MEDIUM 5.9

DescriptionCVE.org

Lack of output escaping for article titles leads to XSS vectors in various locations.

AnalysisAI

Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.

Technical ContextAI

The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a class flaw where user-controlled input (article titles) is rendered in HTML output without proper escaping or sanitization. Article titles in content management systems are typically stored in database fields and rendered in multiple output contexts: article listings, navigation menus, search results, category displays, and archive views. Without context-aware output encoding (HTML entity encoding, JavaScript escaping, or URL encoding depending on the output context), injected JavaScript payloads embedded in titles execute with the same privileges as the viewing user. This is a stored XSS variant because the malicious payload persists in the CMS database and affects all subsequent viewers.

RemediationAI

Consult the official Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1030-20260304-core-xss-vectors-in-various-article-title-outputs.html for the patched version number and upgrade instructions. Apply the vendor-released patch immediately to all Joomla CMS installations. As a temporary mitigation pending patch deployment, restrict article creation and editing permissions to trusted administrative accounts only, disable or carefully audit any plugins or extensions that extend article title output, and educate content editors that article titles should not contain HTML, JavaScript, or special characters-rely on Joomla's native title field validation. After patching, audit existing article titles in the database for suspicious content and sanitize or remove any that contain script tags or encoded payloads.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-21632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy