Joomla Cms
Monthly
Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.
Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.
Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.
Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.
Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.
Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.
Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.
Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.
Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.
Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.
Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.
CSRF token validation is absent on the admin user activation endpoint (com_users component) in Joomla! CMS 6.0.0 through 6.1.0, allowing a remote attacker to trigger unauthorized user activation actions by luring an authenticated administrator into visiting a crafted page. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires an active, logged-in administrator and deliberate user interaction, constraining real-world risk despite the network-accessible attack vector. No public exploit code exists and CISA has not added this to KEV; EPSS places exploitation probability at 0.02% (5th percentile), consistent with SSVC's 'none' exploitation status.
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.
Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.
Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.
Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. Affected installations span Joomla! 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0, exposing reset tokens to network interception. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile) despite the 9.8 CVSS rating.
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.
Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without including a security-sensitive parameter, allowing a previously cached filter instance to be returned even when a different security posture was requested. Remote unauthenticated attackers can leverage the resulting filter mismatch to retrieve sensitive data (CVSS 7.5, C:H only). No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating low predicted exploitation in the near term.
SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.
Joomla CMS fails to enforce authenticated user checks on the AJAX component in the administrative area, allowing potential authentication bypass and unauthorized access to sensitive functionality. Third-party developers expecting default access controls may expose administrative features to unauthenticated or unauthorized users. No CVSS score or public exploit code has been identified, but the vulnerability affects all Joomla CMS versions and requires immediate review of custom AJAX implementations that rely on implicit authentication enforcement.
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and access protected API functionality without valid credentials. Joomla! CMS versions prior to the patched release are affected. The vulnerability stems from inadequate validation of user permissions before processing webservice requests, enabling remote unauthenticated attackers to interact with restricted endpoints that should require administrative or elevated privileges.
Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.
Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.
Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.
Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.
Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.
Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.
Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.
Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.
Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.
Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.
Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.
Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.
Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.
CSRF token validation is absent on the admin user activation endpoint (com_users component) in Joomla! CMS 6.0.0 through 6.1.0, allowing a remote attacker to trigger unauthorized user activation actions by luring an authenticated administrator into visiting a crafted page. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires an active, logged-in administrator and deliberate user interaction, constraining real-world risk despite the network-accessible attack vector. No public exploit code exists and CISA has not added this to KEV; EPSS places exploitation probability at 0.02% (5th percentile), consistent with SSVC's 'none' exploitation status.
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.
Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.
Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.
Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. Affected installations span Joomla! 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0, exposing reset tokens to network interception. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile) despite the 9.8 CVSS rating.
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.
Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without including a security-sensitive parameter, allowing a previously cached filter instance to be returned even when a different security posture was requested. Remote unauthenticated attackers can leverage the resulting filter mismatch to retrieve sensitive data (CVSS 7.5, C:H only). No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating low predicted exploitation in the near term.
SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.
Joomla CMS fails to enforce authenticated user checks on the AJAX component in the administrative area, allowing potential authentication bypass and unauthorized access to sensitive functionality. Third-party developers expecting default access controls may expose administrative features to unauthenticated or unauthorized users. No CVSS score or public exploit code has been identified, but the vulnerability affects all Joomla CMS versions and requires immediate review of custom AJAX implementations that rely on implicit authentication enforcement.
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and access protected API functionality without valid credentials. Joomla! CMS versions prior to the patched release are affected. The vulnerability stems from inadequate validation of user permissions before processing webservice requests, enabling remote unauthenticated attackers to interact with restricted endpoints that should require administrative or elevated privileges.
Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.
Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.