Skip to main content

Joomla! CMS CVE-2026-30895

| EUVDEUVD-2026-31874 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-vvc8-5fmm-vp8p
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:47 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Lack of output escaping leads to a XSS vector in the readmore links for com_content.

AnalysisAI

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.

Technical ContextAI

com_content is Joomla!'s core article and content management component, responsible for rendering article previews and their associated 'Read More' navigation links. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied or database-stored data used to construct readmore link attributes or anchor text is rendered into HTML without proper output escaping, allowing injection of script payloads. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*, covering the CMS product line across both the 4.x/5.x and 6.x major branches. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms the vulnerability is reachable over the network but requires a high-privileged account to introduce the payload and passive user interaction to trigger execution.

RemediationAI

Apply the vendor-released patch as documented in the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1036-20260504-core-xss-in-readmore-links. The advisory was published 2026-05-04; an exact patched release version should be confirmed directly from that advisory, as the available intelligence data identifies the upper boundary of affected versions (5.4.5 and 6.1.0) but does not explicitly state the first fixed release version. As a compensating control while patching is scheduled, restrict the ability to create or edit article readmore link fields to the minimum required set of privileged accounts and audit recent readmore link content for unexpected script tags or javascript: URI schemes. Restricting content editor roles reduces the pool of accounts that could introduce a payload; the trade-off is reduced content management agility. The NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-30895 may provide additional patch confirmation.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-30895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy