Skip to main content

Joomla! CMS CVE-2026-25901

| EUVDEUVD-2026-31882 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-j2q8-vw6h-chq2
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:07 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:44 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Lack of output escaping leads to a XSS vector in the multilingual associations component.

AnalysisAI

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.

Technical ContextAI

The com_associations component manages multilingual content linking in Joomla! CMS, connecting content items across language variants via a shared administrator UI. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied data stored or rendered within the associations interface is output to HTML without sufficient encoding, allowing injection of executable script content. The CVSS 4.0 vector confirms the flaw is network-reachable (AV:N), requires no special attack prerequisites beyond the standard application (AT:N), and has low attack complexity (AC:L), meaning exploitation is straightforward once access conditions are met. The vulnerable product is identified by CPE cpe:2.3:a:joomla!_project:joomla!_cms across the affected version ranges. The VC:H component score reflects that a successful XSS could expose sensitive data such as administrator session tokens or credentials within the vulnerable system boundary.

RemediationAI

Apply the vendor-released patch per the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html; no specific patched version number is explicitly identified in the available intelligence, so consult the advisory directly to confirm the target upgrade version. As a compensating control for environments unable to patch immediately, consider disabling the com_associations component if multilingual content management is not in active use - note this will break cross-language content linking workflows. Restricting access to the associations manager to the minimum required set of administrator accounts reduces the pool of users who could inject a malicious payload. Implementing a Content Security Policy (CSP) header that disallows inline script execution will mitigate the impact of a successful XSS injection, though CSP configuration in Joomla may require template-level changes. Review VulDB entry https://vuldb.com/vuln/365733 for any additional technical detail.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

CVE-2026-25901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy