NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2025-22212 | A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend. | 2.7 | 0.30% | 2025-03-05 | 2026-06-17 |
| CVE-2026-48940 | A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page. | 3.4 | 0.17% | 2026-06-25 | 2026-06-28 |
| CVE-2025-22211 | A SQL injection vulnerability in the JoomShopping component versions 1.0.0-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the country management area in backend. | 3.4 | 0.34% | 2025-02-25 | 2026-06-17 |
| CVE-2025-25228 | A SQL injection in VirtueMart component 1.0.0 - 4.4.7 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the product management area in backend. | 3.8 | 0.21% | 2025-04-21 | 2026-06-17 |
| CVE-2024-21723 | Inadequate parsing of URLs could result into an open redirect. | 4.3 | 0.54% | 2024-02-28 | 2026-06-17 |
| CVE-2023-39973 | Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns. | 4.3 | 0.33% | 2023-08-17 | 2026-06-17 |
| CVE-2023-39972 | Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists. | 4.3 | 0.33% | 2023-08-17 | 2026-06-17 |
| CVE-2023-23751 | An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | 4.3 | 0.44% | 2023-02-01 | 2026-06-17 |
| CVE-2022-27909 | In Joomla component 'jDownloads 3.9.8.2 Stable' the remote user can change some parameters in the address bar and see the names of other users' files | 4.3 | 0.79% | 2022-05-06 | 2026-06-17 |
| CVE-2026-35220 | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | 4.6 | 0.10% | 2026-05-26 | 2026-06-17 |
| CVE-2025-22209 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'searchpaymentstatus' parameter in the Employer Payment History search feature. | 4.7 | 0.27% | 2025-02-15 | 2026-06-17 |
| CVE-2025-22208 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'filter_email' parameter in the GDPR Erase Data Request search feature. | 4.7 | 0.60% | 2025-02-15 | 2026-06-17 |
| CVE-2025-22206 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.2 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'fieldfor' parameter in the GDPR Field feature. | 4.7 | 9.16% | 2025-02-04 | 2026-06-17 |
| CVE-2026-21625 | User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 4.8 | 0.35% | 2026-01-16 | 2026-06-17 |
| CVE-2025-54476 | Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class. | 4.8 | 0.29% | 2025-09-30 | 2026-06-17 |
| CVE-2025-27444 | A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filter[dateFrom] GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin or editor privileges to inject arbitrary JavaScript code by crafting a malicious URL. | 4.8 | 0.26% | 2025-06-04 | 2026-06-17 |
| CVE-2025-54295 | A Reflected XSS vulnerability in DJ-Reviews component 1.0-1.3.6 for Joomla was discovered. | 5.1 | 0.30% | 2025-07-23 | 2026-06-17 |
| CVE-2025-50058 | A stored XSS vulnerability in the RSDirectory! component 1.0.0-2.2.8 Joomla was discovered. The issue allows remote authenticated attackers to inject arbitrary web script or HTML via the review reply component. | 5.1 | 0.36% | 2025-07-18 | 2026-06-17 |
| CVE-2025-50056 | A reflected XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 28 Joomla was discovered. The issue allows remote attackers to inject arbitrary web script or HTML via the crafted parameter. | 5.1 | 0.37% | 2025-07-18 | 2026-06-17 |
| CVE-2026-48945 | The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access. | 5.3 | 0.20% | 2026-06-25 | 2026-06-28 |