Skip to main content

Joomla CMS CVE-2026-48954

| EUVDEUVD-2026-42059 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 Joomla GHSA-2hjh-jp76-w6fv
5.9
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

PR:H reflects mandatory admin access; UI:R captures victim page-load dependency; S:C applies because payload executes in a different user's browser context.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 18:58 vuln.today

DescriptionCVE.org

Improper validation leads to a generic XSS vector in the language override feature.

AnalysisAI

Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as high-privileged Joomla admin
Delivery
Navigate to language override manager
Exploit
Inject XSS payload into a language string
Execution
Victim admin or user loads page rendering the poisoned string
Persist
Malicious script executes in victim's browser
Impact
Exfiltrate session token or perform privileged actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privileged Joomla account (PR:H) - an administrator or super-administrator role with write access to the language override management panel in the Joomla back-end. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.9 (Medium) accurately reflects the PR:H requirement, which meaningfully constrains exploitability: an attacker must already control a high-privileged Joomla account - typically a super-administrator or administrator with back-end access - before the vulnerability can be triggered. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised Joomla administrator logs into the back-end and navigates to the language override manager, injecting a JavaScript payload (e.g., a script that exfiltrates document.cookie to an attacker-controlled server) into a frequently rendered language string. When another administrator or an authenticated front-end user visits a page that renders the poisoned string, the script executes silently in their browser, enabling session hijacking or account takeover. …
Remediation Apply the patch or upgrade to the fixed Joomla CMS version identified in the official Joomla Security Centre advisory published 2026-07-08 at https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-48954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy