彙總 Joomla 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 路徑處理缺陷、輸入驗證問題、CSRF與開放重定向,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持、檔案覆寫與異常行為 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-48905 | Lack of input filtering leads to an XSS vector in the HTML filter code. | [email protected] | 6.9 | 0.14% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48904 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | [email protected] | 8.2 | 0.29% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48903 | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | [email protected] | 6.9 | 0.14% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48902 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | [email protected] | 9.8 | 0.19% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48901 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | [email protected] | 7.5 | 0.24% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48900 | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | [email protected] | 6.4 | 0.15% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48899 | An improper access check allows privilege escalation through the com_users batch task. | [email protected] | 5.3 | 0.23% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48898 | An improper access check allows privilege escalation through the com_users batch task. | [email protected] | 8.2 | 0.27% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48897 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | [email protected] | 8.2 | 0.21% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48896 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | [email protected] | 8.2 | 0.30% | 2026-05-26 | 2026-06-17 |
| CVE-2026-40384 | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | [email protected] | 5.9 | 0.45% | 2026-05-26 | 2026-06-17 |
| CVE-2026-40383 | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | [email protected] | 7.5 | 0.48% | 2026-05-26 | 2026-06-17 |
| CVE-2026-35223 | An improper access check allows unauthorized access to com_config webservice endpoints. | [email protected] | 8.6 | 0.35% | 2026-05-26 | 2026-06-17 |
| CVE-2026-35222 | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | [email protected] | 6.9 | 0.31% | 2026-05-26 | 2026-06-17 |
| CVE-2026-35221 | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | [email protected] | 6.9 | 0.31% | 2026-05-26 | 2026-06-17 |
| CVE-2026-35220 | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | [email protected] | 4.6 | 0.10% | 2026-05-26 | 2026-06-17 |
| CVE-2026-30895 | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | [email protected] | 6.9 | 0.18% | 2026-05-26 | 2026-06-17 |
| CVE-2026-30894 | Lack of output escaping leads to a XSS vector in the content history component. | [email protected] | 6.9 | 0.18% | 2026-05-26 | 2026-06-17 |
| CVE-2026-25901 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | [email protected] | 6.9 | 0.18% | 2026-05-26 | 2026-06-17 |
| CVE-2026-25900 | Lack of output escaping leads to a XSS vector in the feed modules. | [email protected] | 6.9 | 0.18% | 2026-05-26 | 2026-06-17 |