Skip to main content

Joomla! CMS EUVDEUVD-2026-31888

| CVE-2026-40383 HIGH
Path Traversal (CWE-22)
2026-05-26 Joomla GHSA-v8h9-9g8j-w7h4
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:58 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
May 26, 2026 - 16:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 26, 2026 - 16:45 nvd
HIGH 7.5

DescriptionCVE.org

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

AnalysisAI

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.

Technical ContextAI

The vulnerability is a CWE-22 path traversal (improper limitation of a pathname to a restricted directory) affecting Joomla!'s htmlview layout parameter handling. Joomla! is a widely deployed PHP-based content management system, and its MVC view layer uses 'layout' parameters to select template files for rendering. When user-supplied input to this parameter is not properly normalized or constrained to an allowlist of legitimate layouts, an attacker can supply traversal sequences (such as ../) to escape the intended template directory and cause the application to include arbitrary files from the underlying filesystem, exposing sensitive configuration, credentials, or other server-side content. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms covering both the legacy 3.x-5.x branch and the new 6.x branch.

RemediationAI

Patch available per vendor advisory: upgrade Joomla! CMS to a release beyond the affected ranges (above 5.4.5 in the 3.x-5.x line, and above 6.1.0 in the 6.x line) as published in the Joomla! Security Centre bulletin at https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html; the input data does not name an exact fixed version, so consult the linked advisory for the precise build number. Until patching is possible, restrict administrative and back-end access to trusted IP ranges via web server or WAF rules to neutralize the PR:H prerequisite, audit and rotate credentials for any account with privileged Joomla! access, and add WAF signatures to block traversal sequences (../, %2e%2e%2f, encoded variants) in the 'layout' query parameter on htmlview-handling routes, accepting that overly broad path-traversal rules may cause false positives on legitimate template names. Review web server and application logs for prior abuse of the layout parameter by administrative sessions.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

EUVD-2026-31888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy