Joomla CMS
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Joomla product.
RSS Feeds for Joomla security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Joomla products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Joomla Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 40 vulnerabilities in Joomla with an average score of 8.7 out of ten. Last year, in 2025 Joomla had 8 security vulnerabilities published. That is, 32 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.35.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 40 | 8.65 |
| 2025 | 8 | 5.30 |
| 2024 | 15 | 5.98 |
| 2023 | 6 | 6.17 |
| 2022 | 13 | 6.88 |
| 2021 | 28 | 6.52 |
| 2020 | 33 | 6.70 |
| 2019 | 29 | 6.78 |
| 2018 | 24 | 7.10 |
It may take a day or so for new Joomla vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Joomla Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-48952 | Jul 07, 2026 |
XSS via unescaped output in Joomla com_installer update list viewLack of escaping leads to an XSS vulnerability in the update list view of com_installer. |
|
| CVE-2026-48947 | Jul 07, 2026 |
Joomla CMS Media File Overwrite via Improper Access CheckAn improper access check allows privileged users to overwrite media files without editing permissions. |
|
| CVE-2026-48958 | Jul 07, 2026 |
CVE-2026-48958: Unauthorized Custom Field Creation in Joomla WebservicesAn improper access check allows unauthorized users to create custom fields via webservices endpoints. |
|
| CVE-2026-48950 | Jul 07, 2026 |
XSS in Joomla com_templates File Manager ViewLack of escaping leads to an XSS vulnerability in the file management view of com_templates. |
|
| CVE-2026-48955 | Jul 07, 2026 |
CVE-2026-48955: Unauthorized Access to Joomla Workflow Stage & Transition InfoAn improper access check allows unauthorized users to access workflow stage and transition information. |
|
| CVE-2026-48956 | Jul 07, 2026 |
Joomla Module List Disclosure via Improper Access CheckAn improper access check allows users to display a list of modules in the frontend. |
|
| CVE-2026-48957 | Jul 07, 2026 |
Joomla! com_privacy Improper Access Control BypassAn improper access check allows unauthorized users to access com_privacy datasets. |
|
| CVE-2026-48951 | Jul 07, 2026 |
Joomla XSS via Unescaped Modalreturn LayoutsLack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components. |
|
| CVE-2026-48953 | Jul 07, 2026 |
Joomla XSS via unescaped generic image output layoutLack of escaping leads to an XSS vulnerability in the generic image output layout. |
|
| CVE-2026-48948 | Jul 07, 2026 |
Joomla com_contact Improper Access Check Allows Private vCard ExportAn improper access check allows user to download vcard exports of com_contact contacts that are inaccessible. |
|
| CVE-2026-48949 | Jul 07, 2026 |
XSS in Joomla! MFA Management ViewsLack of validation leads to an XSS vulnerability in the MFA management views. |
|
| CVE-2026-48954 | Jul 07, 2026 |
Joomla CMS XSS via Language Override Validation FlawImproper validation leads to a generic XSS vector in the language override feature. |
|
| CVE-2026-35221 | May 26, 2026 |
Joomla com_finder SQLi via Improper Filter ClausesImproperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. |
|
| CVE-2026-48903 | May 26, 2026 |
XSS via inadequate content filtering in Joomla checkAttribute methodsInadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. |
|
| CVE-2026-48896 | May 26, 2026 |
Joomla 2FA Bypass via Insufficient State ChecksInsufficient state checks lead to a vector that allows to bypass 2FA checks. |
|
| CVE-2026-35220 | May 26, 2026 |
Joomla CSRF Token Bypass in com_users Admin ActivationLack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. |
|
| CVE-2026-40383 | May 26, 2026 |
Joomla LFI Vulnerability: Improper Input ValidationAn improper validation of user-supplied input leads to a local file inclusion vulnerability. |
|
| CVE-2026-35222 | May 26, 2026 |
Joomla com_tags SQL Injection via Order ClauseImproperly validated order clauses lead to a SQL injection vulnerability in com_tags. |
|
| CVE-2026-40384 | May 26, 2026 |
Joomla com_media Path Traversal via Unvalidated Search ParameterAn improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. |
|
| CVE-2026-48905 | May 26, 2026 |
XSS via lack of input filtering in Joomla HTML filterLack of input filtering leads to an XSS vector in the HTML filter code. |
|
| CVE-2026-48897 | May 26, 2026 |
Joomla 2FA Bypass via Insufficient State ChecksInsufficient state checks lead to a vector that allows to bypass 2FA checks. |
|
| CVE-2026-25901 | May 26, 2026 |
Joomla Multilingual Associations XSS from Unescaped OutputLack of output escaping leads to a XSS vector in the multilingual associations component. |
|
| CVE-2026-48899 | May 26, 2026 |
Privilege Escalation via Improper Access Check in Joomla com_users Batch TaskAn improper access check allows privilege escalation through the com_users batch task. |
|
| CVE-2026-48900 | May 26, 2026 |
Joomla! Improper Access Check Lets Low-Priv Users Edit Scheduler Task TypesAn improper access check allowed low privileged users to edit the task types of existing scheduler tasks. |
|
| CVE-2026-48902 | May 26, 2026 |
Joomla Auth Reset Generates Plain HTTP Links Without Force SSLThe password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
|
| CVE-2026-35223 | May 26, 2026 |
Joomla com_config Improper Access Check Exploits WebserviceAn improper access check allows unauthorized access to com_config webservice endpoints. |
|
| CVE-2026-25900 | May 26, 2026 |
Joomla Feed Module XSS via Unescaped OutputLack of output escaping leads to a XSS vector in the feed modules. |
|
| CVE-2026-48904 | May 26, 2026 |
Joomla com_users webservice privilege escalation (CVE-2026-48904)An improper access check allows privelege escalation through the com_users group editing webservice endpoint. |
|
| CVE-2026-30895 | May 26, 2026 |
Joomla com_content XSS via readmore linksLack of output escaping leads to a XSS vector in the readmore links for com_content. |
|
| CVE-2026-48898 | May 26, 2026 |
Joomla Improper Access Check in com_users Batch Task Enables Priv EscAn improper access check allows privilege escalation through the com_users batch task. |
|
| CVE-2026-30894 | May 26, 2026 |
Joomla XSS in Content History due to lack of output escapingLack of output escaping leads to a XSS vector in the content history component. |
|
| CVE-2026-48901 | May 26, 2026 |
Joomla InputFilter Cache Key Bypass in Input FilteringThe InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. |
|
| CVE-2026-21630 | Apr 01, 2026 |
Joomla Articles Webservice SQLi via ORDER BY clauseImproperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint. |
|
| CVE-2026-23898 | Apr 01, 2026 |
Joomla CMS AutoUpd File Delete via Input ValidationLack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. |
|
| CVE-2026-21629 | Apr 01, 2026 |
Joomla AJAX Auth Bypass via Admin Check ExclusionThe ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers. |
|
| CVE-2026-23899 | Apr 01, 2026 |
Joomla Improper Access Check Allows Unauthorized Webservice AccessAn improper access check allows unauthorized access to webservice endpoints. |
|
| CVE-2026-21631 | Apr 01, 2026 |
Joomla Multilingual Associations XSS via Unescaped OutputLack of output escaping leads to a XSS vector in the multilingual associations component. |
|
| CVE-2026-21632 | Apr 01, 2026 |
Joomla CMS XSS via unsanitized article titlesLack of output escaping for article titles leads to XSS vectors in various locations. |
|
| CVE-2025-63082 | Jan 06, 2026 |
Joomla HTML Filter XSS via Img Data URLsLack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. |
|
| CVE-2025-63083 | Jan 06, 2026 |
Joomla Pagebreak Plugin XSS via Unescaped OutputLack of output escaping leads to a XSS vector in the pagebreak plugin. |
|
| CVE-2025-54477 | Sep 30, 2025 |
User Enum via Improper Passkey Auth Handling (CVE-2025-54477)Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method. |
|
| CVE-2025-54476 | Sep 30, 2025 |
XSS via checkAttribute in InputFilter FrameworkImproper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class. |
|
| CVE-2025-50057 | Jul 18, 2025 |
RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature. |
|
| CVE-2025-25227 | Apr 08, 2025 |
2FA Bypass via Insufficient State CheckInsufficient state checks lead to a vector that allows to bypass 2FA checks. |
|
| CVE-2025-25226 | Apr 08, 2025 |
SQLi in quoteNameStr of database package (method protected)Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used. |
|
| CVE-2024-40749 | Jan 07, 2025 |
Improper Access Control enables access to protected viewsImproper Access Controls allows access to protected views. |
|
| CVE-2024-40748 | Jan 07, 2025 |
Drupal XSS: Unescaped id in menu listsLack of output escaping in the id attribute of menu lists. |
|
| CVE-2024-40747 | Jan 07, 2025 |
Joomla! XSS via Module Chrome ExploitVarious module chromes didn't properly process inputs, leading to XSS vectors. |
|
| CVE-2024-27184 | Aug 20, 2024 |
Open Redirect via Inadequate URL ValidationInadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.. |
|
| CVE-2024-27187 | Aug 20, 2024 |
Improper Access Control: Backend Users Overwrite UsernameImproper Access Controls allows backend users to overwrite their username when disallowed. |
|