Aggregates CVE and security vulnerability intelligence across all Joomla-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk input validation, vendor risk csrf, and vendor risk open redirect and related problems; some flaws may lead to vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-48905 | Lack of input filtering leads to an XSS vector in the HTML filter code. | [email protected] | 6.9 | 0.01% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48904 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | [email protected] | 8.2 | 0.00% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48903 | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | [email protected] | 6.9 | 0.01% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48902 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | [email protected] | 9.8 | 0.02% | 2026-05-26 | 2026-06-02 |
| CVE-2026-48901 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | [email protected] | 7.5 | 0.02% | 2026-05-26 | 2026-05-28 |
| CVE-2026-48900 | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | [email protected] | 6.4 | 0.00% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48899 | An improper access check allows privilege escalation through the com_users batch task. | [email protected] | 5.3 | 0.00% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48898 | An improper access check allows privilege escalation through the com_users batch task. | [email protected] | 8.2 | 0.00% | 2026-05-26 | 2026-05-26 |
| CVE-2026-48897 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | [email protected] | 8.2 | 0.04% | 2026-05-26 | 2026-05-28 |
| CVE-2026-48896 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | [email protected] | 8.2 | 0.01% | 2026-05-26 | 2026-05-28 |
| CVE-2026-40384 | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | [email protected] | 5.9 | 0.02% | 2026-05-26 | 2026-05-28 |
| CVE-2026-40383 | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | [email protected] | 7.5 | 0.00% | 2026-05-26 | 2026-05-27 |
| CVE-2026-35223 | An improper access check allows unauthorized access to com_config webservice endpoints. | [email protected] | 8.6 | 0.04% | 2026-05-26 | 2026-05-28 |
| CVE-2026-35222 | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | [email protected] | 6.9 | 0.00% | 2026-05-26 | 2026-05-27 |
| CVE-2026-35221 | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | [email protected] | 6.9 | 0.03% | 2026-05-26 | 2026-05-27 |
| CVE-2026-35220 | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | [email protected] | 4.6 | 0.02% | 2026-05-26 | 2026-05-27 |
| CVE-2026-30895 | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | [email protected] | 6.9 | 0.04% | 2026-05-26 | 2026-05-27 |
| CVE-2026-30894 | Lack of output escaping leads to a XSS vector in the content history component. | [email protected] | 6.9 | 0.04% | 2026-05-26 | 2026-05-27 |
| CVE-2026-25901 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | [email protected] | 6.9 | 0.04% | 2026-05-26 | 2026-05-27 |
| CVE-2026-25900 | Lack of output escaping leads to a XSS vector in the feed modules. | [email protected] | 6.9 | 0.04% | 2026-05-26 | 2026-05-27 |