Skip to main content

Joomla! Framework Filter CVE-2026-48903

| EUVDEUVD-2026-31891 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-r82q-7896-84h5
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:26 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)

DescriptionCVE.org

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

AnalysisAI

Cross-site scripting in the Joomla! Framework Filter package exposes applications to script injection through inadequately sanitized HTML attribute values in the checkAttribute methods. Authenticated users holding high-level privileges can inject malicious content that executes in the browser of any user who subsequently views the affected page. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% at the 0th percentile confirms minimal current exploitation interest across the security community.

Technical ContextAI

The Joomla! Framework Filter package (CPE: cpe:2.3:a:joomla!_project:joomla!_framework_filter_package) is a PHP library used by Joomla!-based applications to sanitize HTML input - including attribute values - before rendering in web pages. The checkAttribute methods are responsible for evaluating and stripping unsafe HTML attribute content. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied attribute values are not adequately encoded or stripped before being written into the HTML output, allowing injected JavaScript to be interpreted by the victim's browser. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms the flaw is reachable over the network with low complexity, but requires high privileges to inject and passive user interaction to trigger, consistent with a stored XSS pattern where a privileged user writes malicious content that later executes for visiting users.

RemediationAI

Upgrade the Joomla! Framework Filter package to a version beyond 3.0.5 for the 1.x-3.x branch, or to a version beyond 4.0.1 for the 4.x branch. The precise patched release version is not explicitly stated in the provided intelligence data and must be confirmed via the Joomla security advisory at https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html or the package's Packagist release history before upgrading. As a compensating control prior to patching, restrict content-creation and HTML-input interfaces exclusively to the most trusted administrator accounts, reducing the pool of identities capable of injecting malicious attribute values. Note that this control does not eliminate the vulnerability - it only limits who can trigger it.

Share

CVE-2026-48903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy