39
CVEs
6
Critical
12
High
0
KEV
7
PoC
16
Unpatched C/H
5.1%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
6
HIGH
12
MEDIUM
17
LOW
3
Monthly CVE Trend
Affected Products (10)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-22210 | A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2025-22204 | Improper control of generation of code in the sourcerer extension for Joomla in versions before 11.0.0 lead to a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 4.3% | 53 |
No patch
|
| CVE-2025-25226 | Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2025-2126 | A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla and classified as critical.php/properties/list/list-with-sidebar/realties of the component GET Parameter Handler. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 5.3 | 0.6% | 47 |
PoC
No patch
|
| CVE-2025-2127 | A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 5.3 | 0.5% | 47 |
PoC
No patch
|
| CVE-2025-30085 | A remote code execution vulnerability (CVSS 9.2). Critical severity with potential for significant impact on affected systems. | CRITICAL | 9.2 | 0.8% | 47 |
No patch
|
| CVE-2025-49467 | Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2025-40636 | SQL injection in Joomla mod_vvisit_counter v2.0.4j3. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2026-21625 | Arbitrary file upload in Joomla's Easy Discuss component allows authenticated attackers to bypass file validation by spoofing extensions, since the component relies solely on extension checks without verifying MIME types. An attacker with user privileges can upload malicious files to achieve remote code execution on affected systems. No patch is currently available. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-22208 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'filter_email' parameter. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 4.7 | 0.1% | 44 |
PoC
No patch
|
| CVE-2025-22209 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'searchpaymentstatus'. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 4.7 | 0.1% | 44 |
PoC
No patch
|
| CVE-2025-49468 | A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover. | HIGH | 8.6 | 0.2% | 43 |
No patch
|
| CVE-2025-32465 | RSTickets! component for Joomla versions 1.9.12 through 3.3.0 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into the application, which are then executed in the browsers of other users who view the affected content. With a CVSS score of 8.5 and requiring low privilege level plus user interaction, this vulnerability poses a significant risk to Joomla installations using vulnerable RSTickets! versions, particularly in multi-user environments where attackers can escalate privileges or steal administrative credentials. | HIGH | 8.5 | 0.1% | 43 |
No patch
|
| CVE-2025-22205 | Improper handling of input variables lead to multiple path traversal vulnerabilities in the Admiror Gallery extension for Joomla in version branch 4.x. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.5 | 0.3% | 38 |
No patch
|
| CVE-2025-25227 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.5 | 0.0% | 38 |
|