Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Joomla! Project — Vulnerabilities & Security Advisories 102

Browse all 102 CVE security advisories affecting Joomla! Project. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Joomla! Project develops an open-source content management system widely used for building websites and online applications. Historically, its codebase has been associated with numerous security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from insufficient input validation and improper access controls within extensions or core components. With eighty-two recorded CVEs, the project demonstrates a pattern of recurring weaknesses that require diligent patching. While the core framework itself has seen improvements, the extensive ecosystem of third-party extensions frequently introduces additional attack surfaces. Major incidents have highlighted the critical importance of timely updates and secure configuration practices. Administrators must prioritize vulnerability management to mitigate risks, as the platform’s popularity makes it a frequent target for automated exploitation attempts seeking to compromise underlying server infrastructure.

Top products by Joomla! Project: Joomla! CMS Joomla! Framework Filter package Joomla! Framework
CVE IDTitleCVSSSeverityPublished
CVE-2026-35221 Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder — Joomla! CMSCWE-89--2026-05-26
CVE-2026-48903 Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code. — Joomla! Framework Filter packageCWE-79--2026-05-26
CVE-2026-48896 Joomla! Core - [20260511] - MFA Authentication Bypass — Joomla! CMSCWE-287--2026-05-26
CVE-2026-35220 Joomla! Core - [20260505] - CSRF in user activation endpoint — Joomla! CMSCWE-352--2026-05-26
CVE-2026-40383 Joomla! Core - [20260509] - LFI in HTMLView layout parameter — Joomla! CMSCWE-22--2026-05-26
CVE-2026-35222 Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags — Joomla! CMSCWE-89--2026-05-26
CVE-2026-40384 Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint — Joomla! CMSCWE-22--2026-05-26
CVE-2026-48905 Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code. — Joomla! Framework Filter packageCWE-79--2026-05-26
CVE-2026-48897 Joomla! Core - [20260512] - MFA Authentication Bypass — Joomla! CMSCWE-287--2026-05-26
CVE-2026-25901 Joomla! Core - [20260502] - XSS in com_associations — Joomla! CMSCWE-79--2026-05-26
CVE-2026-48899 Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins — Joomla! CMSCWE-284--2026-05-26
CVE-2026-48900 Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler — Joomla! CMSCWE-284--2026-05-26
CVE-2026-48902 Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links — Joomla! CMS--2026-05-26
CVE-2026-35223 Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints — Joomla! CMSCWE-284--2026-05-26
CVE-2026-25900 Joomla! Core - [20260501] - XSS in feed modules — Joomla! CMSCWE-79--2026-05-26
CVE-2026-48904 Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints — Joomla! CMSCWE-284--2026-05-26
CVE-2026-30895 Joomla! Core - [20260504] - XSS in readmore links — Joomla! CMSCWE-79--2026-05-26
CVE-2026-48898 Joomla! Core - [20260513] - Privilege escalation through com_users batch task — Joomla! CMSCWE-284--2026-05-26
CVE-2026-30894 Joomla! Core - [20260503] - XSS in com_contenthistory — Joomla! CMSCWE-79--2026-05-26
CVE-2026-48901 Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects — Joomla! CMS--2026-05-26
CVE-2026-21630 Joomla! Core - [20260302] - SQL injection in com_content articles webservice endpoint — Joomla! CMSCWE-89 9.8AICriticalAI2026-04-01
CVE-2026-23898 Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate — Joomla! CMSCWE-73 9.1AICriticalAI2026-04-01
CVE-2026-21629 Joomla! Core - [20260301] - ACL hardening in com_ajax — Joomla! CMSCWE-284 9.8AICriticalAI2026-04-01
CVE-2026-23899 Joomla! Core - [20260306] - Improper access check in webservice endpoints — Joomla! CMSCWE-284 8.1AIHighAI2026-04-01
CVE-2026-21631 Joomla! Core - [20260303] - XSS vector in com_associations comparison view — Joomla! CMSCWE-79 6.1AIMediumAI2026-04-01
CVE-2026-21632 Joomla! Core - [20260304] - XSS vectors in various article title outputs — Joomla! CMSCWE-79 5.4AIMediumAI2026-04-01
CVE-2025-63082 Joomla! Core - [20260101] - Inadequate content filtering for data URLs — Joomla! CMSCWE-79 6.1 -2026-01-06
CVE-2025-63083 Joomla! Core - [20260102] - XSS vector in the pagebreak plugin — Joomla! CMSCWE-79 6.1 -2026-01-06
CVE-2025-54477 Joomla! Core - [20250902] User-Enumeration in passkey authentication method — Joomla! CMSCWE-203 5.3AIMediumAI2025-09-30
CVE-2025-54476 Joomla! Core - [20250901] Inadequate content filtering within the checkAttribute filter code — Joomla! CMSCWE-79 6.1AIMediumAI2025-09-30

This page lists every published CVE security advisory associated with Joomla! Project. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.