Joomla CMS

By the Year

In 2026 there have been 8 vulnerabilities in Joomla. Last year, in 2025 Joomla had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Joomla in 2026 could surpass last years number.

Recent Joomla Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-21630	Apr 01, 2026	Joomla Articles Webservice SQLi via ORDER BY clause Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.	Joomla
CVE-2026-23898	Apr 01, 2026	Joomla CMS AutoUpd File Delete via Input Validation Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.	Joomla
CVE-2026-21629	Apr 01, 2026	Joomla AJAX Auth Bypass via Admin Check Exclusion The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.	Joomla
CVE-2026-23899	Apr 01, 2026	Joomla Improper Access Check Allows Unauthorized Webservice Access An improper access check allows unauthorized access to webservice endpoints.	Joomla
CVE-2026-21631	Apr 01, 2026	Joomla Multilingual Associations XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the multilingual associations component.	Joomla
CVE-2026-21632	Apr 01, 2026	Joomla CMS XSS via unsanitized article titles Lack of output escaping for article titles leads to XSS vectors in various locations.	Joomla
CVE-2025-63082	Jan 06, 2026	Joomla HTML Filter XSS via Img Data URLs Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.	Joomla
CVE-2025-63083	Jan 06, 2026	Joomla Pagebreak Plugin XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the pagebreak plugin.	Joomla
CVE-2025-54477	Sep 30, 2025	User Enum via Improper Passkey Auth Handling (CVE-2025-54477) Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.	Joomla
CVE-2025-54476	Sep 30, 2025	XSS via checkAttribute in InputFilter Framework Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.	Joomla
CVE-2025-50057	Jul 18, 2025	RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7 A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.	Joomla
CVE-2025-25226	Apr 08, 2025	SQLi in quoteNameStr of database package (method protected) Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.	Joomla
CVE-2025-25227	Apr 08, 2025	2FA Bypass via Insufficient State Check Insufficient state checks lead to a vector that allows to bypass 2FA checks.	Joomla
CVE-2024-40747	Jan 07, 2025	Joomla! XSS via Module Chrome Exploit Various module chromes didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-40748	Jan 07, 2025	Drupal XSS: Unescaped id in menu lists Lack of output escaping in the id attribute of menu lists.	Joomla
CVE-2024-40749	Jan 07, 2025	Improper Access Control enables access to protected views Improper Access Controls allows access to protected views.	Joomla
CVE-2024-27184	Aug 20, 2024	Open Redirect via Inadequate URL Validation Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..	Joomla
CVE-2024-27185	Aug 20, 2024	Cache Poisoning via Arbitrary Pagination Params The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.	Joomla
CVE-2024-27186	Aug 20, 2024	Mail Template XSS in multiple extensions (CVE-2024-27186) The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.	Joomla
CVE-2024-27187	Aug 20, 2024	Improper Access Control: Backend Users Overwrite Username Improper Access Controls allows backend users to overwrite their username when disallowed.	Joomla
CVE-2024-40743	Aug 20, 2024	XSS via stripImages & stripIframes input handling (PHP) The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-21729	Jul 09, 2024	XSS via accessiblemedia field in AccessibleMedia WP plugin Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.	Joomla
CVE-2024-21730	Jul 09, 2024	fancyselect list field selfXSS via improper escaping The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.	Joomla
CVE-2024-21731	Jul 09, 2024	Yii2 PHP: StringHelper::truncate XSS Vulnerability Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.	Joomla
CVE-2024-26278	Jul 09, 2024	Custom Fields Component XSS Vulnerability The Custom Fields component not correctly filter inputs, leading to a XSS vector.	Joomla
CVE-2024-26279	Jul 09, 2024	XSS via Improper Input Validation in Wrapper Extensions The wrapper extensions do not correctly validate inputs, leading to XSS vectors.	Joomla
CVE-2024-21722	Feb 29, 2024	MFA Session Not Properly Terminated on MFA Method Change The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.	Joomla
CVE-2024-21723	Feb 29, 2024	Open Redirect via Inadequate URL Parsing Inadequate parsing of URLs could result into an open redirect.	Joomla
CVE-2024-21725	Feb 29, 2024	XSS via Unescaped Email Addresses in PHP Components Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.	Joomla
CVE-2024-21726	Feb 29, 2024	XSS via weak content filtering in multiple components Inadequate content filtering leads to XSS vulnerabilities in various components.	Joomla
CVE-2024-21724	Feb 29, 2024	WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724) Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.	Joomla
CVE-2023-40626	Nov 29, 2023	Drupal Language File Parsing Exposes Env Vars The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.	Joomla
CVE-2023-23754	May 30, 2023	Joomla! 4.2-4.3 MFA Screen Open Redirect & XSS An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.	Joomla
CVE-2023-23755	May 30, 2023	Joomla! 4.2.0-4.3.1 MFA Brute Force via Missing Rate Limiting An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.	Joomla
CVE-2023-23752	Feb 16, 2023	Joomla! 4.0.0-4.2.7: Unauth Webservice Access An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.	Joomla
CVE-2023-23750	Feb 01, 2023	CSRF in Joomla! 4.0.0-4.2.6 PostInstall Msg Handling An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.	Joomla
CVE-2023-23751	Feb 01, 2023	Joomla! ACL Flaw in com_actionlogs 4.0.0-4.2.4 An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.	Joomla
CVE-2022-27914	Nov 08, 2022	Reflected XSS in Joomla! 4.x com_media (before 4.2.5) An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.	Joomla
CVE-2022-27912	Oct 25, 2022	Joomla! 4.0.0-4.2.3 Debug Mode Exposes Prior Request Data An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.	Joomla
CVE-2022-27913	Oct 25, 2022	Joomla! 4.2.* Reflected XSS via Reflected Input in Various Components An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.	Joomla
CVE-2022-27911	Aug 31, 2022	Joomla! 4.2.0 Full Path Disclosure due to missing _JEXEC check An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.	Joomla
CVE-2022-23796	Mar 30, 2022	An issue was discovered in Joomla! 3.7.0 through 3.10.6 An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.	Joomla
CVE-2022-23801	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.	Joomla
CVE-2022-23800	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.	Joomla
CVE-2022-23799	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.	Joomla
CVE-2022-23798	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.	Joomla
CVE-2022-23797	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.	Joomla
CVE-2022-23793	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.	Joomla
CVE-2022-23794	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.	Joomla
CVE-2022-23795	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.	Joomla