Joomla CMS

By the Year

In 2026 there have been 28 vulnerabilities in Joomla with an average score of 8.7 out of ten. Last year, in 2025 Joomla had 8 security vulnerabilities published. That is, 20 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.35.

Recent Joomla Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-35221	May 26, 2026	Joomla com_finder SQLi via Improper Filter Clauses Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.	Joomla
CVE-2026-48903	May 26, 2026	XSS via inadequate content filtering in Joomla checkAttribute methods Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.	Joomla
CVE-2026-48896	May 26, 2026	Joomla 2FA Bypass via Insufficient State Checks Insufficient state checks lead to a vector that allows to bypass 2FA checks.	Joomla
CVE-2026-35220	May 26, 2026	Joomla CSRF Token Bypass in com_users Admin Activation Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.	Joomla
CVE-2026-40383	May 26, 2026	Joomla LFI Vulnerability: Improper Input Validation An improper validation of user-supplied input leads to a local file inclusion vulnerability.	Joomla
CVE-2026-35222	May 26, 2026	Joomla com_tags SQL Injection via Order Clause Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.	Joomla
CVE-2026-40384	May 26, 2026	Joomla com_media Path Traversal via Unvalidated Search Parameter An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.	Joomla
CVE-2026-48905	May 26, 2026	XSS via lack of input filtering in Joomla HTML filter Lack of input filtering leads to an XSS vector in the HTML filter code.	Joomla
CVE-2026-48897	May 26, 2026	Joomla 2FA Bypass via Insufficient State Checks Insufficient state checks lead to a vector that allows to bypass 2FA checks.	Joomla
CVE-2026-25901	May 26, 2026	Joomla Multilingual Associations XSS from Unescaped Output Lack of output escaping leads to a XSS vector in the multilingual associations component.	Joomla
CVE-2026-48899	May 26, 2026	Privilege Escalation via Improper Access Check in Joomla com_users Batch Task An improper access check allows privilege escalation through the com_users batch task.	Joomla
CVE-2026-48900	May 26, 2026	Joomla! Improper Access Check Lets Low-Priv Users Edit Scheduler Task Types An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.	Joomla
CVE-2026-48902	May 26, 2026	Joomla Auth Reset Generates Plain HTTP Links Without Force SSL The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.	Joomla
CVE-2026-35223	May 26, 2026	Joomla com_config Improper Access Check Exploits Webservice An improper access check allows unauthorized access to com_config webservice endpoints.	Joomla
CVE-2026-25900	May 26, 2026	Joomla Feed Module XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the feed modules.	Joomla
CVE-2026-48904	May 26, 2026	Joomla com_users webservice privilege escalation (CVE-2026-48904) An improper access check allows privelege escalation through the com_users group editing webservice endpoint.	Joomla
CVE-2026-30895	May 26, 2026	Joomla com_content XSS via readmore links Lack of output escaping leads to a XSS vector in the readmore links for com_content.	Joomla
CVE-2026-48898	May 26, 2026	Joomla Improper Access Check in com_users Batch Task Enables Priv Esc An improper access check allows privilege escalation through the com_users batch task.	Joomla
CVE-2026-30894	May 26, 2026	Joomla XSS in Content History due to lack of output escaping Lack of output escaping leads to a XSS vector in the content history component.	Joomla
CVE-2026-48901	May 26, 2026	Joomla InputFilter Cache Key Bypass in Input Filtering The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.	Joomla
CVE-2026-21630	Apr 01, 2026	Joomla Articles Webservice SQLi via ORDER BY clause Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.	Joomla
CVE-2026-23898	Apr 01, 2026	Joomla CMS AutoUpd File Delete via Input Validation Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.	Joomla
CVE-2026-21629	Apr 01, 2026	Joomla AJAX Auth Bypass via Admin Check Exclusion The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.	Joomla
CVE-2026-23899	Apr 01, 2026	Joomla Improper Access Check Allows Unauthorized Webservice Access An improper access check allows unauthorized access to webservice endpoints.	Joomla
CVE-2026-21631	Apr 01, 2026	Joomla Multilingual Associations XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the multilingual associations component.	Joomla
CVE-2026-21632	Apr 01, 2026	Joomla CMS XSS via unsanitized article titles Lack of output escaping for article titles leads to XSS vectors in various locations.	Joomla
CVE-2025-63082	Jan 06, 2026	Joomla HTML Filter XSS via Img Data URLs Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.	Joomla
CVE-2025-63083	Jan 06, 2026	Joomla Pagebreak Plugin XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the pagebreak plugin.	Joomla
CVE-2025-54477	Sep 30, 2025	User Enum via Improper Passkey Auth Handling (CVE-2025-54477) Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.	Joomla
CVE-2025-54476	Sep 30, 2025	XSS via checkAttribute in InputFilter Framework Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.	Joomla
CVE-2025-50057	Jul 18, 2025	RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7 A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.	Joomla
CVE-2025-25226	Apr 08, 2025	SQLi in quoteNameStr of database package (method protected) Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.	Joomla
CVE-2025-25227	Apr 08, 2025	2FA Bypass via Insufficient State Check Insufficient state checks lead to a vector that allows to bypass 2FA checks.	Joomla
CVE-2024-40749	Jan 07, 2025	Improper Access Control enables access to protected views Improper Access Controls allows access to protected views.	Joomla
CVE-2024-40747	Jan 07, 2025	Joomla! XSS via Module Chrome Exploit Various module chromes didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-40748	Jan 07, 2025	Drupal XSS: Unescaped id in menu lists Lack of output escaping in the id attribute of menu lists.	Joomla
CVE-2024-27186	Aug 20, 2024	Mail Template XSS in multiple extensions (CVE-2024-27186) The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.	Joomla
CVE-2024-27185	Aug 20, 2024	Cache Poisoning via Arbitrary Pagination Params The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.	Joomla
CVE-2024-27184	Aug 20, 2024	Open Redirect via Inadequate URL Validation Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..	Joomla
CVE-2024-40743	Aug 20, 2024	XSS via stripImages & stripIframes input handling (PHP) The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-27187	Aug 20, 2024	Improper Access Control: Backend Users Overwrite Username Improper Access Controls allows backend users to overwrite their username when disallowed.	Joomla
CVE-2024-21729	Jul 09, 2024	XSS via accessiblemedia field in AccessibleMedia WP plugin Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.	Joomla
CVE-2024-26279	Jul 09, 2024	XSS via Improper Input Validation in Wrapper Extensions The wrapper extensions do not correctly validate inputs, leading to XSS vectors.	Joomla
CVE-2024-26278	Jul 09, 2024	Custom Fields Component XSS Vulnerability The Custom Fields component not correctly filter inputs, leading to a XSS vector.	Joomla
CVE-2024-21731	Jul 09, 2024	Yii2 PHP: StringHelper::truncate XSS Vulnerability Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.	Joomla
CVE-2024-21730	Jul 09, 2024	fancyselect list field selfXSS via improper escaping The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.	Joomla
CVE-2024-21724	Feb 29, 2024	WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724) Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.	Joomla
CVE-2024-21722	Feb 29, 2024	MFA Session Not Properly Terminated on MFA Method Change The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.	Joomla
CVE-2024-21723	Feb 29, 2024	Open Redirect via Inadequate URL Parsing Inadequate parsing of URLs could result into an open redirect.	Joomla
CVE-2024-21726	Feb 29, 2024	XSS via weak content filtering in multiple components Inadequate content filtering leads to XSS vulnerabilities in various components.	Joomla