Joomla Joomla CMS

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Joomla product.

RSS Feeds for Joomla security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Joomla products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Joomla Sorted by Most Security Vulnerabilities since 2018

Joomla212 vulnerabilities

Joomla Jambook1 vulnerability

Joomla Jim Component1 vulnerability

Joomla Rssxt Component1 vulnerability

Joomla X Shop Component1 vulnerability

By the Year

In 2026 there have been 40 vulnerabilities in Joomla with an average score of 8.7 out of ten. Last year, in 2025 Joomla had 8 security vulnerabilities published. That is, 32 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.35.




Year Vulnerabilities Average Score
2026 40 8.65
2025 8 5.30
2024 15 5.98
2023 6 6.17
2022 13 6.88
2021 28 6.52
2020 33 6.70
2019 29 6.78
2018 24 7.10

It may take a day or so for new Joomla vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Joomla Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-48952 Jul 07, 2026
XSS via unescaped output in Joomla com_installer update list view Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
Joomla
CVE-2026-48947 Jul 07, 2026
Joomla CMS Media File Overwrite via Improper Access Check An improper access check allows privileged users to overwrite media files without editing permissions.
Joomla
CVE-2026-48958 Jul 07, 2026
CVE-2026-48958: Unauthorized Custom Field Creation in Joomla Webservices An improper access check allows unauthorized users to create custom fields via webservices endpoints.
Joomla
CVE-2026-48950 Jul 07, 2026
XSS in Joomla com_templates File Manager View Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
Joomla
CVE-2026-48955 Jul 07, 2026
CVE-2026-48955: Unauthorized Access to Joomla Workflow Stage & Transition Info An improper access check allows unauthorized users to access workflow stage and transition information.
Joomla
CVE-2026-48956 Jul 07, 2026
Joomla Module List Disclosure via Improper Access Check An improper access check allows users to display a list of modules in the frontend.
Joomla
CVE-2026-48957 Jul 07, 2026
Joomla! com_privacy Improper Access Control Bypass An improper access check allows unauthorized users to access com_privacy datasets.
Joomla
CVE-2026-48951 Jul 07, 2026
Joomla XSS via Unescaped Modalreturn Layouts Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
Joomla
CVE-2026-48953 Jul 07, 2026
Joomla XSS via unescaped generic image output layout Lack of escaping leads to an XSS vulnerability in the generic image output layout.
Joomla
CVE-2026-48948 Jul 07, 2026
Joomla com_contact Improper Access Check Allows Private vCard Export An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
Joomla
CVE-2026-48949 Jul 07, 2026
XSS in Joomla! MFA Management Views Lack of validation leads to an XSS vulnerability in the MFA management views.
Joomla
CVE-2026-48954 Jul 07, 2026
Joomla CMS XSS via Language Override Validation Flaw Improper validation leads to a generic XSS vector in the language override feature.
Joomla
CVE-2026-35221 May 26, 2026
Joomla com_finder SQLi via Improper Filter Clauses Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
Joomla
CVE-2026-48903 May 26, 2026
XSS via inadequate content filtering in Joomla checkAttribute methods Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
Joomla
CVE-2026-48896 May 26, 2026
Joomla 2FA Bypass via Insufficient State Checks Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Joomla
CVE-2026-35220 May 26, 2026
Joomla CSRF Token Bypass in com_users Admin Activation Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
Joomla
CVE-2026-40383 May 26, 2026
Joomla LFI Vulnerability: Improper Input Validation An improper validation of user-supplied input leads to a local file inclusion vulnerability.
Joomla
CVE-2026-35222 May 26, 2026
Joomla com_tags SQL Injection via Order Clause Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
Joomla
CVE-2026-40384 May 26, 2026
Joomla com_media Path Traversal via Unvalidated Search Parameter An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
Joomla
CVE-2026-48905 May 26, 2026
XSS via lack of input filtering in Joomla HTML filter Lack of input filtering leads to an XSS vector in the HTML filter code.
Joomla
CVE-2026-48897 May 26, 2026
Joomla 2FA Bypass via Insufficient State Checks Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Joomla
CVE-2026-25901 May 26, 2026
Joomla Multilingual Associations XSS from Unescaped Output Lack of output escaping leads to a XSS vector in the multilingual associations component.
Joomla
CVE-2026-48899 May 26, 2026
Privilege Escalation via Improper Access Check in Joomla com_users Batch Task An improper access check allows privilege escalation through the com_users batch task.
Joomla
CVE-2026-48900 May 26, 2026
Joomla! Improper Access Check Lets Low-Priv Users Edit Scheduler Task Types An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
Joomla
CVE-2026-48902 May 26, 2026
Joomla Auth Reset Generates Plain HTTP Links Without Force SSL The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Joomla
CVE-2026-35223 May 26, 2026
Joomla com_config Improper Access Check Exploits Webservice An improper access check allows unauthorized access to com_config webservice endpoints.
Joomla
CVE-2026-25900 May 26, 2026
Joomla Feed Module XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the feed modules.
Joomla
CVE-2026-48904 May 26, 2026
Joomla com_users webservice privilege escalation (CVE-2026-48904) An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
Joomla
CVE-2026-30895 May 26, 2026
Joomla com_content XSS via readmore links Lack of output escaping leads to a XSS vector in the readmore links for com_content.
Joomla
CVE-2026-48898 May 26, 2026
Joomla Improper Access Check in com_users Batch Task Enables Priv Esc An improper access check allows privilege escalation through the com_users batch task.
Joomla
CVE-2026-30894 May 26, 2026
Joomla XSS in Content History due to lack of output escaping Lack of output escaping leads to a XSS vector in the content history component.
Joomla
CVE-2026-48901 May 26, 2026
Joomla InputFilter Cache Key Bypass in Input Filtering The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
Joomla
CVE-2026-21630 Apr 01, 2026
Joomla Articles Webservice SQLi via ORDER BY clause Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
Joomla
CVE-2026-23898 Apr 01, 2026
Joomla CMS AutoUpd File Delete via Input Validation Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
Joomla
CVE-2026-21629 Apr 01, 2026
Joomla AJAX Auth Bypass via Admin Check Exclusion The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Joomla
CVE-2026-23899 Apr 01, 2026
Joomla Improper Access Check Allows Unauthorized Webservice Access An improper access check allows unauthorized access to webservice endpoints.
Joomla
CVE-2026-21631 Apr 01, 2026
Joomla Multilingual Associations XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the multilingual associations component.
Joomla
CVE-2026-21632 Apr 01, 2026
Joomla CMS XSS via unsanitized article titles Lack of output escaping for article titles leads to XSS vectors in various locations.
Joomla
CVE-2025-63082 Jan 06, 2026
Joomla HTML Filter XSS via Img Data URLs Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
Joomla
CVE-2025-63083 Jan 06, 2026
Joomla Pagebreak Plugin XSS via Unescaped Output Lack of output escaping leads to a XSS vector in the pagebreak plugin.
Joomla
CVE-2025-54477 Sep 30, 2025
User Enum via Improper Passkey Auth Handling (CVE-2025-54477) Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.
Joomla
CVE-2025-54476 Sep 30, 2025
XSS via checkAttribute in InputFilter Framework Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
Joomla
CVE-2025-50057 Jul 18, 2025
RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7 A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.
Joomla
CVE-2025-25227 Apr 08, 2025
2FA Bypass via Insufficient State Check Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Joomla
CVE-2025-25226 Apr 08, 2025
SQLi in quoteNameStr of database package (method protected) Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Joomla
CVE-2024-40749 Jan 07, 2025
Improper Access Control enables access to protected views Improper Access Controls allows access to protected views.
Joomla
CVE-2024-40748 Jan 07, 2025
Drupal XSS: Unescaped id in menu lists Lack of output escaping in the id attribute of menu lists.
Joomla
CVE-2024-40747 Jan 07, 2025
Joomla! XSS via Module Chrome Exploit Various module chromes didn't properly process inputs, leading to XSS vectors.
Joomla
CVE-2024-27184 Aug 20, 2024
Open Redirect via Inadequate URL Validation Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
Joomla
CVE-2024-27187 Aug 20, 2024
Improper Access Control: Backend Users Overwrite Username Improper Access Controls allows backend users to overwrite their username when disallowed.
Joomla
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.