Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
AnalysisAI
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.
Technical ContextAI
The vulnerability is a CWE-22 path traversal (improper limitation of a pathname to a restricted directory) affecting Joomla!'s htmlview layout parameter handling. Joomla! is a widely deployed PHP-based content management system, and its MVC view layer uses 'layout' parameters to select template files for rendering. When user-supplied input to this parameter is not properly normalized or constrained to an allowlist of legitimate layouts, an attacker can supply traversal sequences (such as ../) to escape the intended template directory and cause the application to include arbitrary files from the underlying filesystem, exposing sensitive configuration, credentials, or other server-side content. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms covering both the legacy 3.x-5.x branch and the new 6.x branch.
RemediationAI
Patch available per vendor advisory: upgrade Joomla! CMS to a release beyond the affected ranges (above 5.4.5 in the 3.x-5.x line, and above 6.1.0 in the 6.x line) as published in the Joomla! Security Centre bulletin at https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html; the input data does not name an exact fixed version, so consult the linked advisory for the precise build number. Until patching is possible, restrict administrative and back-end access to trusted IP ranges via web server or WAF rules to neutralize the PR:H prerequisite, audit and rotate credentials for any account with privileged Joomla! access, and add WAF signatures to block traversal sequences (../, %2e%2e%2f, encoded variants) in the 'layout' query parameter on htmlview-handling routes, accepting that overly broad path-traversal rules may cause false positives on legitimate template names. Review web server and application logs for prior abuse of the layout parameter by administrative sessions.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31888
GHSA-v8h9-9g8j-w7h4