Skip to main content

Joomla! CMS CVE-2026-25900

| EUVDEUVD-2026-31876 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-xvjh-fqcm-jpr6
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:06 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Lack of output escaping leads to a XSS vector in the feed modules.

AnalysisAI

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-controlled data is passed into HTML output without proper contextual encoding or escaping. Joomla!'s feed modules - which render RSS or Atom-style content feeds - fail to sanitize output prior to rendering, allowing injected markup to be interpreted as live HTML or JavaScript by the browser. The affected product is identified by CPE cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*, spanning the Joomla! CMS application across two major version lines (3.x/5.x and 6.x). The CVSS 4.0 vector (PR:H) confirms that only a high-privileged principal - such as an administrator - can introduce the malicious payload, indicating a persistent (stored) XSS pattern rather than a simple reflected attack.

RemediationAI

Apply the vendor-released patch per the Joomla! Security Centre advisory at https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html. The advisory covers both the 5.x and 6.x lines; the patched release version is not independently confirmed from available input data, so administrators should consult the advisory for the exact target version (likely 5.4.6+ and 6.1.1+ based on the stated affected upper bounds, but this is inferred and not confirmed). As a compensating control where immediate patching is not possible, disable or restrict access to the affected feed modules in Joomla!'s Extension Manager - this eliminates the attack surface at the cost of feed functionality. Additionally, restrict administrative access to the Joomla! backend to trusted IP ranges or VPN, which reduces the PR:H attack surface by limiting who can inject a payload in the first place. Content Security Policy (CSP) headers can mitigate the impact of any residual XSS by blocking inline script execution, though this requires CSP configuration testing to avoid breaking legitimate site functionality.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

CVE-2026-25900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy