Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Lack of output escaping leads to a XSS vector in the feed modules.
AnalysisAI
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-controlled data is passed into HTML output without proper contextual encoding or escaping. Joomla!'s feed modules - which render RSS or Atom-style content feeds - fail to sanitize output prior to rendering, allowing injected markup to be interpreted as live HTML or JavaScript by the browser. The affected product is identified by CPE cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*, spanning the Joomla! CMS application across two major version lines (3.x/5.x and 6.x). The CVSS 4.0 vector (PR:H) confirms that only a high-privileged principal - such as an administrator - can introduce the malicious payload, indicating a persistent (stored) XSS pattern rather than a simple reflected attack.
RemediationAI
Apply the vendor-released patch per the Joomla! Security Centre advisory at https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html. The advisory covers both the 5.x and 6.x lines; the patched release version is not independently confirmed from available input data, so administrators should consult the advisory for the exact target version (likely 5.4.6+ and 6.1.1+ based on the stated affected upper bounds, but this is inferred and not confirmed). As a compensating control where immediate patching is not possible, disable or restrict access to the affected feed modules in Joomla!'s Extension Manager - this eliminates the attack surface at the cost of feed functionality. Additionally, restrict administrative access to the Joomla! backend to trusted IP ranges or VPN, which reduces the PR:H attack surface by limiting who can inject a payload in the first place. Content Security Policy (CSP) headers can mitigate the impact of any residual XSS by blocking inline script execution, though this requires CSP configuration testing to avoid breaking legitimate site functionality.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31876
GHSA-xvjh-fqcm-jpr6