Skip to main content

Joomla! CMS CVE-2026-35220

| EUVDEUVD-2026-31889 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-26 Joomla GHSA-h52w-g3vr-5c63
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:08 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
4.6 (MEDIUM)
CVE Published
May 26, 2026 - 16:45 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

AnalysisAI

CSRF token validation is absent on the admin user activation endpoint (com_users component) in Joomla! CMS 6.0.0 through 6.1.0, allowing a remote attacker to trigger unauthorized user activation actions by luring an authenticated administrator into visiting a crafted page. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires an active, logged-in administrator and deliberate user interaction, constraining real-world risk despite the network-accessible attack vector. No public exploit code exists and CISA has not added this to KEV; EPSS places exploitation probability at 0.02% (5th percentile), consistent with SSVC's 'none' exploitation status.

Technical ContextAI

The vulnerability resides in the com_users component of Joomla! CMS - the core user management subsystem responsible for registration, authentication, and account activation workflows. CWE-352 (Cross-Site Request Forgery) indicates the affected activation endpoint processes state-changing HTTP requests without verifying that the request originates from a legitimate, same-origin session (i.e., no CSRF token is checked). Affected product confirmed via CPE cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:* and EUVD version range 6.0.0-6.1.0. Because the activation endpoint is admin-facing, the attack surface is confined to the Joomla backend administrative panel rather than the public front-end, which limits exposure to environments where administrators are active and their sessions can be targeted.

RemediationAI

Apply the Joomla! security patch as detailed in the official Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint. The advisory was published 2026-05-05; organizations running Joomla! CMS 6.0.0-6.1.0 should upgrade to the first release that addresses this CVE per Joomla's release notes - the exact patched version is not independently confirmed in the provided data and should be verified against the vendor advisory. As a compensating control pending patching, restrict backend administrative access to trusted IP ranges via server-level rules (e.g., nginx/Apache allow/deny directives or WAF IP allowlisting) to reduce the likelihood of an attacker being able to deliver the CSRF payload to an active admin session; note this does not eliminate the vulnerability but significantly narrows the attack surface. Additionally, ensure administrator sessions have short inactivity timeouts to limit the window during which a CSRF attack can succeed.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-35220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy