Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Lack of input filtering leads to an XSS vector in the HTML filter code.
AnalysisAI
Inadequate HTML attribute sanitization in the cleanattributes() function of the Joomla! Framework Filter package exposes a cross-site scripting (XSS) vector across versions 1.0.0-3.0.5 and 4.0.0-4.0.1. An attacker holding high-privileged (administrative) access can inject malicious script content through unfiltered HTML attributes; when a victim user passively views that content, the payload executes in their browser, yielding high confidentiality impact (VC:H) consistent with session token or credential theft. No public exploit code exists and this vulnerability is not listed in CISA KEV, placing real-world risk well below what the CVSS 6.9 base score might initially suggest.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: the cleanattributes() method within the Joomla! Framework Filter package - a standalone PHP library used by Joomla! CMS to sanitize user-supplied HTML before rendering - fails to adequately strip or encode dangerous attribute values. When attacker-controlled HTML passes through this code path without proper neutralization, executable script content survives into the rendered output. The CPE identifier cpe:2.3:a:joomla!_project:joomla!_framework_filter_package covers both the legacy 1.x/2.x/3.x and the 4.x branch of the package, indicating the flaw spans a long code lineage. The Joomla Security Centre advisory (EUVD-2026-31884) specifically names the cleanattributes filter code as the locus of inadequate filtering.
RemediationAI
Upgrade the Joomla! Framework Filter package to a version beyond the affected ranges - past 3.0.5 on the 3.x branch or past 4.0.1 on the 4.x branch. The exact patched release version should be confirmed directly against the Joomla! Security Centre advisory at https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html, as specific fixed version numbers are not independently confirmed from the available input data and citing an unverified version here would be inappropriate. If immediate patching is not feasible, restrict access to the Joomla! administrative backend to trusted IP ranges via web server or firewall ACLs - this reduces the attack surface by limiting who can satisfy the PR:H prerequisite, though it does not fix the underlying flaw. Implementing a strict Content Security Policy (CSP) header that blocks inline script execution and restricts allowed script origins can cap the blast radius of a successful XSS injection; note that overly restrictive CSP may break legitimate CMS functionality and should be tested before deploying to production.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31884
GHSA-593g-h3wc-jxcw