Joomla
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Joomla.
Joomla EOL Dates
Ensure that you are using a supported version of Joomla. Here are some end of life, and end of support dates for Joomla.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 6 | October 16, 2029 | October 17, 2028 |
Active
Joomla 6 will become EOL in 3 years (in 2029). |
| 5 | October 12, 2027 | October 13, 2026 |
Active
Joomla 5 will become EOL next year, in October 2027. |
| 4 | October 14, 2025 | October 15, 2024 |
EOL
Joomla 4 became EOL in 2025 and supported ended in 2024 |
| 3 | August 17, 2023 | August 17, 2021 |
EOL
Joomla 3 became EOL in 2023 and supported ended in 2021 |
By the Year
In 2026 there have been 28 vulnerabilities in Joomla with an average score of 8.7 out of ten. Last year, in 2025 Joomla had 8 security vulnerabilities published. That is, 20 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.35.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 28 | 8.65 |
| 2025 | 8 | 5.30 |
| 2024 | 15 | 5.98 |
| 2023 | 6 | 6.17 |
| 2022 | 13 | 6.88 |
| 2021 | 28 | 6.52 |
| 2020 | 33 | 6.70 |
| 2019 | 29 | 6.78 |
| 2018 | 24 | 7.10 |
It may take a day or so for new Joomla vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Joomla Security Vulnerabilities
Joomla com_finder SQLi via Improper Filter Clauses
CVE-2026-35221
- May 26, 2026
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
SQL Injection
XSS via inadequate content filtering in Joomla checkAttribute methods
CVE-2026-48903
- May 26, 2026
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
XSS
Joomla 2FA Bypass via Insufficient State Checks
CVE-2026-48896
- May 26, 2026
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
authentification
Joomla CSRF Token Bypass in com_users Admin Activation
CVE-2026-35220
- May 26, 2026
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
Session Riding
Joomla LFI Vulnerability: Improper Input Validation
CVE-2026-40383
- May 26, 2026
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
Directory traversal
Joomla com_tags SQL Injection via Order Clause
CVE-2026-35222
- May 26, 2026
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
SQL Injection
Joomla com_media Path Traversal via Unvalidated Search Parameter
CVE-2026-40384
- May 26, 2026
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
Directory traversal
XSS via lack of input filtering in Joomla HTML filter
CVE-2026-48905
- May 26, 2026
Lack of input filtering leads to an XSS vector in the HTML filter code.
XSS
Joomla 2FA Bypass via Insufficient State Checks
CVE-2026-48897
- May 26, 2026
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
authentification
Joomla Multilingual Associations XSS from Unescaped Output
CVE-2026-25901
- May 26, 2026
Lack of output escaping leads to a XSS vector in the multilingual associations component.
XSS
Privilege Escalation via Improper Access Check in Joomla com_users Batch Task
CVE-2026-48899
- May 26, 2026
An improper access check allows privilege escalation through the com_users batch task.
Authorization
Joomla! Improper Access Check Lets Low-Priv Users Edit Scheduler Task Types
CVE-2026-48900
- May 26, 2026
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
Authorization
Joomla Auth Reset Generates Plain HTTP Links Without Force SSL
CVE-2026-48902
9.8 - Critical
- May 26, 2026
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Cleartext Transmission of Sensitive Information
Joomla com_config Improper Access Check Exploits Webservice
CVE-2026-35223
- May 26, 2026
An improper access check allows unauthorized access to com_config webservice endpoints.
Authorization
Joomla Feed Module XSS via Unescaped Output
CVE-2026-25900
- May 26, 2026
Lack of output escaping leads to a XSS vector in the feed modules.
XSS
Joomla com_users webservice privilege escalation (CVE-2026-48904)
CVE-2026-48904
- May 26, 2026
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
Authorization
Joomla com_content XSS via readmore links
CVE-2026-30895
- May 26, 2026
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
XSS
Joomla Improper Access Check in com_users Batch Task Enables Priv Esc
CVE-2026-48898
- May 26, 2026
An improper access check allows privilege escalation through the com_users batch task.
Authorization
Joomla XSS in Content History due to lack of output escaping
CVE-2026-30894
- May 26, 2026
Lack of output escaping leads to a XSS vector in the content history component.
XSS
Joomla InputFilter Cache Key Bypass in Input Filtering
CVE-2026-48901
7.5 - High
- May 26, 2026
The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
Use of Cache Containing Sensitive Information
Joomla Articles Webservice SQLi via ORDER BY clause
CVE-2026-21630
- April 01, 2026
Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
SQL Injection
Joomla CMS AutoUpd File Delete via Input Validation
CVE-2026-23898
- April 01, 2026
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
External Control of File Name or Path
Joomla AJAX Auth Bypass via Admin Check Exclusion
CVE-2026-21629
- April 01, 2026
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Authorization
Joomla Improper Access Check Allows Unauthorized Webservice Access
CVE-2026-23899
- April 01, 2026
An improper access check allows unauthorized access to webservice endpoints.
Authorization
Joomla Multilingual Associations XSS via Unescaped Output
CVE-2026-21631
- April 01, 2026
Lack of output escaping leads to a XSS vector in the multilingual associations component.
XSS
Joomla CMS XSS via unsanitized article titles
CVE-2026-21632
- April 01, 2026
Lack of output escaping for article titles leads to XSS vectors in various locations.
XSS
Joomla HTML Filter XSS via Img Data URLs
CVE-2025-63082
- January 06, 2026
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
XSS
Joomla Pagebreak Plugin XSS via Unescaped Output
CVE-2025-63083
- January 06, 2026
Lack of output escaping leads to a XSS vector in the pagebreak plugin.
XSS
User Enum via Improper Passkey Auth Handling (CVE-2025-54477)
CVE-2025-54477
5.3 - Medium
- September 30, 2025
Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.
Side Channel Attack
XSS via checkAttribute in InputFilter Framework
CVE-2025-54476
- September 30, 2025
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
XSS
RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7
CVE-2025-50057
- July 18, 2025
A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.
Resource Exhaustion
SQLi in quoteNameStr of database package (method protected)
CVE-2025-25226
- April 08, 2025
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
SQL Injection
2FA Bypass via Insufficient State Check
CVE-2025-25227
- April 08, 2025
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Improper Access Control enables access to protected views
CVE-2024-40749
- January 07, 2025
Improper Access Controls allows access to protected views.
Joomla! XSS via Module Chrome Exploit
CVE-2024-40747
- January 07, 2025
Various module chromes didn't properly process inputs, leading to XSS vectors.
XSS
Drupal XSS: Unescaped id in menu lists
CVE-2024-40748
- January 07, 2025
Lack of output escaping in the id attribute of menu lists.
XSS
Mail Template XSS in multiple extensions (CVE-2024-27186)
CVE-2024-27186
- August 20, 2024
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
XSS
Cache Poisoning via Arbitrary Pagination Params
CVE-2024-27185
- August 20, 2024
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
Open Redirect via Inadequate URL Validation
CVE-2024-27184
- August 20, 2024
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
Open Redirect
XSS via stripImages & stripIframes input handling (PHP)
CVE-2024-40743
- August 20, 2024
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
XSS
Improper Access Control: Backend Users Overwrite Username
CVE-2024-27187
- August 20, 2024
Improper Access Controls allows backend users to overwrite their username when disallowed.
XSS via accessiblemedia field in AccessibleMedia WP plugin
CVE-2024-21729
6.1 - Medium
- July 09, 2024
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
XSS
XSS via Improper Input Validation in Wrapper Extensions
CVE-2024-26279
6.1 - Medium
- July 09, 2024
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
XSS
Custom Fields Component XSS Vulnerability
CVE-2024-26278
6.1 - Medium
- July 09, 2024
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
XSS
Yii2 PHP: StringHelper::truncate XSS Vulnerability
CVE-2024-21731
6.1 - Medium
- July 09, 2024
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
XSS
fancyselect list field selfXSS via improper escaping
CVE-2024-21730
5.4 - Medium
- July 09, 2024
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
XSS
WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724)
CVE-2024-21724
6.1 - Medium
- February 29, 2024
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
XSS
MFA Session Not Properly Terminated on MFA Method Change
CVE-2024-21722
- February 29, 2024
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
Insufficient Session Expiration
Open Redirect via Inadequate URL Parsing
CVE-2024-21723
- February 29, 2024
Inadequate parsing of URLs could result into an open redirect.
Open Redirect
XSS via weak content filtering in multiple components
CVE-2024-21726
- February 29, 2024
Inadequate content filtering leads to XSS vulnerabilities in various components.
XSS
