Skip to main content

Joomla! Filter Package CVE-2026-48905

| EUVDEUVD-2026-31884 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-593g-h3wc-jxcw
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:27 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)

DescriptionCVE.org

Lack of input filtering leads to an XSS vector in the HTML filter code.

AnalysisAI

Inadequate HTML attribute sanitization in the cleanattributes() function of the Joomla! Framework Filter package exposes a cross-site scripting (XSS) vector across versions 1.0.0-3.0.5 and 4.0.0-4.0.1. An attacker holding high-privileged (administrative) access can inject malicious script content through unfiltered HTML attributes; when a victim user passively views that content, the payload executes in their browser, yielding high confidentiality impact (VC:H) consistent with session token or credential theft. No public exploit code exists and this vulnerability is not listed in CISA KEV, placing real-world risk well below what the CVSS 6.9 base score might initially suggest.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: the cleanattributes() method within the Joomla! Framework Filter package - a standalone PHP library used by Joomla! CMS to sanitize user-supplied HTML before rendering - fails to adequately strip or encode dangerous attribute values. When attacker-controlled HTML passes through this code path without proper neutralization, executable script content survives into the rendered output. The CPE identifier cpe:2.3:a:joomla!_project:joomla!_framework_filter_package covers both the legacy 1.x/2.x/3.x and the 4.x branch of the package, indicating the flaw spans a long code lineage. The Joomla Security Centre advisory (EUVD-2026-31884) specifically names the cleanattributes filter code as the locus of inadequate filtering.

RemediationAI

Upgrade the Joomla! Framework Filter package to a version beyond the affected ranges - past 3.0.5 on the 3.x branch or past 4.0.1 on the 4.x branch. The exact patched release version should be confirmed directly against the Joomla! Security Centre advisory at https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html, as specific fixed version numbers are not independently confirmed from the available input data and citing an unverified version here would be inappropriate. If immediate patching is not feasible, restrict access to the Joomla! administrative backend to trusted IP ranges via web server or firewall ACLs - this reduces the attack surface by limiting who can satisfy the PR:H prerequisite, though it does not fix the underlying flaw. Implementing a strict Content Security Policy (CSP) header that blocks inline script execution and restricts allowed script origins can cap the blast radius of a successful XSS injection; note that overly restrictive CSP may break legitimate CMS functionality and should be tested before deploying to production.

Share

CVE-2026-48905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy