Skip to main content

Joomla! CMS CVE-2026-40384

| EUVDEUVD-2026-31885 MEDIUM
Path Traversal (CWE-22)
2026-05-26 Joomla GHSA-hr66-rv65-f5r4
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:33 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
5.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:45 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

AnalysisAI

Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.

Technical ContextAI

The com_media component in Joomla! CMS exposes a REST API endpoint for managing media files. The vulnerable code path fails to properly validate or sanitize the 'search' parameter submitted to this endpoint, allowing CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) exploitation - commonly known as path traversal. By injecting directory traversal sequences (e.g., '../') into the search parameter, an attacker can cause the application to resolve file paths outside the intended media directory, exposing arbitrary server-side files readable by the web process. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*, spanning both the 4.x/5.x and 6.x release lines. The CVSS 4.0 vector (AT:P) confirms that specific attack requirements beyond basic network access must be met, consistent with the PR:H requirement - a privileged CMS account.

RemediationAI

The primary remediation is to upgrade to a patched release of Joomla! CMS. Consult the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html for the exact fixed versions - an exact patched version number is not independently confirmed from the available input data, so administrators should verify the latest stable releases in the 5.x and 6.x branches directly from joomla.org. As a compensating control prior to patching, restrict access to the com_media API endpoint at the web server or WAF layer by blocking requests containing traversal sequences (e.g., '../', '%2e%2e') in the search parameter; note this may break legitimate media search functionality. Additionally, applying the principle of least privilege by auditing and reducing the number of Super User and Administrator accounts minimizes the pool of identities capable of triggering the vulnerability, since PR:H is required. Ensure web process file system permissions are scoped to the web root to limit the blast radius of any successful traversal.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-40384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy