Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
AnalysisAI
Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.
Technical ContextAI
The com_media component in Joomla! CMS exposes a REST API endpoint for managing media files. The vulnerable code path fails to properly validate or sanitize the 'search' parameter submitted to this endpoint, allowing CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) exploitation - commonly known as path traversal. By injecting directory traversal sequences (e.g., '../') into the search parameter, an attacker can cause the application to resolve file paths outside the intended media directory, exposing arbitrary server-side files readable by the web process. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*, spanning both the 4.x/5.x and 6.x release lines. The CVSS 4.0 vector (AT:P) confirms that specific attack requirements beyond basic network access must be met, consistent with the PR:H requirement - a privileged CMS account.
RemediationAI
The primary remediation is to upgrade to a patched release of Joomla! CMS. Consult the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html for the exact fixed versions - an exact patched version number is not independently confirmed from the available input data, so administrators should verify the latest stable releases in the 5.x and 6.x branches directly from joomla.org. As a compensating control prior to patching, restrict access to the com_media API endpoint at the web server or WAF layer by blocking requests containing traversal sequences (e.g., '../', '%2e%2e') in the search parameter; note this may break legitimate media search functionality. Additionally, applying the principle of least privilege by auditing and reducing the number of Super User and Administrator accounts minimizes the pool of identities capable of triggering the vulnerability, since PR:H is required. Ensure web process file system permissions are scoped to the web root to limit the blast radius of any successful traversal.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31885
GHSA-hr66-rv65-f5r4