Skip to main content

Joomla! CMS EUVDEUVD-2026-31872

| CVE-2026-30894 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Joomla GHSA-g57j-96qr-jr34
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:07 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:42 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Lack of output escaping leads to a XSS vector in the content history component.

AnalysisAI

Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.

Technical ContextAI

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a failure to apply context-aware HTML output escaping within the content history component of Joomla! CMS (CPE: cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*). Joomla's com_contenthistory component tracks revision history for content items; user-controlled data stored in history records is rendered back into the administrative interface without sanitization, creating a stored XSS sink. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) indicates the vulnerability is network-reachable, requires no additional technical prerequisites beyond credentials, and only requires passive user interaction - consistent with a stored XSS pattern where payload execution occurs when a victim loads an affected page rather than clicking an explicit link.

RemediationAI

The primary remediation is to upgrade to a patched release per the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistory. An exact fixed version number is not independently confirmed from the available data - consult the advisory directly to identify the minimum safe release for your branch (5.x or 6.x). As a compensating control for environments that cannot immediately patch, administrators can restrict access to the content history feature by limiting backend access to only trusted, essential accounts and reviewing user role assignments to minimize the number of accounts capable of creating or editing versioned content. Disabling or restricting com_contenthistory via Joomla's plugin/component manager reduces exposure but may impact editorial workflow. Monitor backend session activity for anomalous behavior from high-privilege accounts as an interim detective control.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

EUVD-2026-31872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy