Joomla CMS

By the Year

In 2025 there have been 8 vulnerabilities in Joomla with an average score of 5.3 out of ten. Last year, in 2024 Joomla had 15 security vulnerabilities published. Right now, Joomla is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.68

Recent Joomla Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-54477	Sep 30, 2025	User Enum via Improper Passkey Auth Handling (CVE-2025-54477) Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.	Joomla
CVE-2025-54476	Sep 30, 2025	XSS via checkAttribute in InputFilter Framework Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.	Joomla
CVE-2025-50057	Jul 18, 2025	RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7 A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.	Joomla
CVE-2025-25226	Apr 08, 2025	SQLi in quoteNameStr of database package (method protected) Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.	Joomla
CVE-2025-25227	Apr 08, 2025	2FA Bypass via Insufficient State Check Insufficient state checks lead to a vector that allows to bypass 2FA checks.	Joomla
CVE-2024-40747	Jan 07, 2025	Joomla! XSS via Module Chrome Exploit Various module chromes didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-40748	Jan 07, 2025	Drupal XSS: Unescaped id in menu lists Lack of output escaping in the id attribute of menu lists.	Joomla
CVE-2024-40749	Jan 07, 2025	Improper Access Control enables access to protected views Improper Access Controls allows access to protected views.	Joomla
CVE-2024-27184	Aug 20, 2024	Open Redirect via Inadequate URL Validation Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..	Joomla
CVE-2024-27185	Aug 20, 2024	Cache Poisoning via Arbitrary Pagination Params The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.	Joomla
CVE-2024-27186	Aug 20, 2024	Mail Template XSS in multiple extensions (CVE-2024-27186) The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.	Joomla
CVE-2024-27187	Aug 20, 2024	Improper Access Control: Backend Users Overwrite Username Improper Access Controls allows backend users to overwrite their username when disallowed.	Joomla
CVE-2024-40743	Aug 20, 2024	XSS via stripImages & stripIframes input handling (PHP) The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.	Joomla
CVE-2024-21729	Jul 09, 2024	XSS via accessiblemedia field in AccessibleMedia WP plugin Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.	Joomla
CVE-2024-21730	Jul 09, 2024	fancyselect list field selfXSS via improper escaping The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.	Joomla
CVE-2024-21731	Jul 09, 2024	Yii2 PHP: StringHelper::truncate XSS Vulnerability Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.	Joomla
CVE-2024-26278	Jul 09, 2024	Custom Fields Component XSS Vulnerability The Custom Fields component not correctly filter inputs, leading to a XSS vector.	Joomla
CVE-2024-26279	Jul 09, 2024	XSS via Improper Input Validation in Wrapper Extensions The wrapper extensions do not correctly validate inputs, leading to XSS vectors.	Joomla
CVE-2024-21722	Feb 29, 2024	MFA Session Not Properly Terminated on MFA Method Change The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.	Joomla
CVE-2024-21723	Feb 29, 2024	Open Redirect via Inadequate URL Parsing Inadequate parsing of URLs could result into an open redirect.	Joomla
CVE-2024-21725	Feb 29, 2024	XSS via Unescaped Email Addresses in PHP Components Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.	Joomla
CVE-2024-21726	Feb 29, 2024	XSS via weak content filtering in multiple components Inadequate content filtering leads to XSS vulnerabilities in various components.	Joomla
CVE-2024-21724	Feb 29, 2024	WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724) Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.	Joomla
CVE-2023-40626	Nov 29, 2023	Drupal Language File Parsing Exposes Env Vars The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.	Joomla
CVE-2023-23754	May 30, 2023	An issue was discovered in Joomla! 4.2.0 through 4.3.1 An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.	Joomla
CVE-2023-23755	May 30, 2023	An issue was discovered in Joomla! 4.2.0 through 4.3.1 An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.	Joomla
CVE-2023-23752	Feb 16, 2023	An issue was discovered in Joomla! 4.0.0 through 4.2.7 An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.	Joomla
CVE-2023-23751	Feb 01, 2023	An issue was discovered in Joomla! 4.0.0 through 4.2.4 An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.	Joomla
CVE-2023-23750	Feb 01, 2023	An issue was discovered in Joomla! 4.0.0 through 4.2.6 An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.	Joomla
CVE-2022-27914	Nov 08, 2022	An issue was discovered in Joomla! 4.0.0 through 4.2.4 An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.	Joomla
CVE-2022-27912	Oct 25, 2022	An issue was discovered in Joomla! 4.0.0 through 4.2.3 An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.	Joomla
CVE-2022-27913	Oct 25, 2022	An issue was discovered in Joomla! 4.2.0 through 4.2.3 An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.	Joomla
CVE-2022-27911	Aug 31, 2022	An issue was discovered in Joomla! 4.2.0 An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.	Joomla
CVE-2022-23793	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.	Joomla
CVE-2022-23801	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.	Joomla
CVE-2022-23800	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.	Joomla
CVE-2022-23799	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.	Joomla
CVE-2022-23798	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.	Joomla
CVE-2022-23796	Mar 30, 2022	An issue was discovered in Joomla! 3.7.0 through 3.10.6 An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.	Joomla
CVE-2022-23795	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.	Joomla
CVE-2022-23794	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.	Joomla
CVE-2022-23797	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.	Joomla
CVE-2021-26040	Aug 24, 2021	An issue was discovered in Joomla! 4.0.0 An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.	Joomla
CVE-2021-26036	Jul 07, 2021	An issue was discovered in Joomla! 2.5.0 through 3.9.27 An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.	Joomla
CVE-2021-26039	Jul 07, 2021	An issue was discovered in Joomla! 3.0.0 through 3.9.27 An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.	Joomla
CVE-2021-26035	Jul 07, 2021	An issue was discovered in Joomla! 3.0.0 through 3.9.27 An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability.	Joomla
CVE-2021-26037	Jul 07, 2021	An issue was discovered in Joomla! 2.5.0 through 3.9.27 An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.	Joomla
CVE-2021-26038	Jul 07, 2021	An issue was discovered in Joomla! 2.5.0 through 3.9.27 An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already.	Joomla
CVE-2010-1434	Jun 21, 2021	Joomla! Core is prone to a session fixation vulnerability Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.	Joomla
CVE-2010-1435	Jun 21, 2021	Joomla! Core is prone to a security bypass vulnerability Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.	Joomla