Joomla
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Joomla.
Joomla EOL Dates
Ensure that you are using a supported version of Joomla. Here are some end of life, and end of support dates for Joomla.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 6 | October 16, 2029 | October 17, 2028 |
Active
Joomla 6 will become EOL in 3 years (in 2029). |
| 5 | October 12, 2027 | October 13, 2026 |
Active
Joomla 5 will become EOL next year, in October 2027. |
| 4 | October 14, 2025 | October 15, 2024 |
EOL
Joomla 4 became EOL in 2025 and supported ended in 2024 |
| 3 | August 17, 2023 | August 17, 2021 |
EOL
Joomla 3 became EOL in 2023 and supported ended in 2021 |
By the Year
In 2026 there have been 8 vulnerabilities in Joomla. Last year, in 2025 Joomla had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Joomla in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 0.00 |
| 2025 | 8 | 5.30 |
| 2024 | 15 | 5.98 |
| 2023 | 6 | 6.17 |
| 2022 | 13 | 6.88 |
| 2021 | 28 | 6.52 |
| 2020 | 33 | 6.70 |
| 2019 | 29 | 6.78 |
| 2018 | 24 | 7.10 |
It may take a day or so for new Joomla vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Joomla Security Vulnerabilities
Joomla Articles Webservice SQLi via ORDER BY clause
CVE-2026-21630
- April 01, 2026
Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
SQL Injection
Joomla CMS AutoUpd File Delete via Input Validation
CVE-2026-23898
- April 01, 2026
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
External Control of File Name or Path
Joomla AJAX Auth Bypass via Admin Check Exclusion
CVE-2026-21629
- April 01, 2026
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Authorization
Joomla Improper Access Check Allows Unauthorized Webservice Access
CVE-2026-23899
- April 01, 2026
An improper access check allows unauthorized access to webservice endpoints.
Authorization
Joomla Multilingual Associations XSS via Unescaped Output
CVE-2026-21631
- April 01, 2026
Lack of output escaping leads to a XSS vector in the multilingual associations component.
XSS
Joomla CMS XSS via unsanitized article titles
CVE-2026-21632
- April 01, 2026
Lack of output escaping for article titles leads to XSS vectors in various locations.
XSS
Joomla HTML Filter XSS via Img Data URLs
CVE-2025-63082
- January 06, 2026
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
XSS
Joomla Pagebreak Plugin XSS via Unescaped Output
CVE-2025-63083
- January 06, 2026
Lack of output escaping leads to a XSS vector in the pagebreak plugin.
XSS
User Enum via Improper Passkey Auth Handling (CVE-2025-54477)
CVE-2025-54477
5.3 - Medium
- September 30, 2025
Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.
Side Channel Attack
XSS via checkAttribute in InputFilter Framework
CVE-2025-54476
- September 30, 2025
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
XSS
RSFiles! Component: DOS via Search in Joomla 1.16.3-1.17.7
CVE-2025-50057
- July 18, 2025
A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature.
Resource Exhaustion
SQLi in quoteNameStr of database package (method protected)
CVE-2025-25226
- April 08, 2025
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
SQL Injection
2FA Bypass via Insufficient State Check
CVE-2025-25227
- April 08, 2025
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Joomla! XSS via Module Chrome Exploit
CVE-2024-40747
- January 07, 2025
Various module chromes didn't properly process inputs, leading to XSS vectors.
XSS
Drupal XSS: Unescaped id in menu lists
CVE-2024-40748
- January 07, 2025
Lack of output escaping in the id attribute of menu lists.
XSS
Improper Access Control enables access to protected views
CVE-2024-40749
- January 07, 2025
Improper Access Controls allows access to protected views.
Open Redirect via Inadequate URL Validation
CVE-2024-27184
- August 20, 2024
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
Open Redirect
Cache Poisoning via Arbitrary Pagination Params
CVE-2024-27185
- August 20, 2024
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
Mail Template XSS in multiple extensions (CVE-2024-27186)
CVE-2024-27186
- August 20, 2024
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
XSS
Improper Access Control: Backend Users Overwrite Username
CVE-2024-27187
- August 20, 2024
Improper Access Controls allows backend users to overwrite their username when disallowed.
XSS via stripImages & stripIframes input handling (PHP)
CVE-2024-40743
- August 20, 2024
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
XSS
XSS via accessiblemedia field in AccessibleMedia WP plugin
CVE-2024-21729
6.1 - Medium
- July 09, 2024
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
XSS
fancyselect list field selfXSS via improper escaping
CVE-2024-21730
5.4 - Medium
- July 09, 2024
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
XSS
Yii2 PHP: StringHelper::truncate XSS Vulnerability
CVE-2024-21731
6.1 - Medium
- July 09, 2024
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
XSS
Custom Fields Component XSS Vulnerability
CVE-2024-26278
6.1 - Medium
- July 09, 2024
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
XSS
XSS via Improper Input Validation in Wrapper Extensions
CVE-2024-26279
6.1 - Medium
- July 09, 2024
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
XSS
MFA Session Not Properly Terminated on MFA Method Change
CVE-2024-21722
- February 29, 2024
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
Insufficient Session Expiration
Open Redirect via Inadequate URL Parsing
CVE-2024-21723
- February 29, 2024
Inadequate parsing of URLs could result into an open redirect.
Open Redirect
XSS via Unescaped Email Addresses in PHP Components
CVE-2024-21725
- February 29, 2024
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
XSS via weak content filtering in multiple components
CVE-2024-21726
- February 29, 2024
Inadequate content filtering leads to XSS vulnerabilities in various components.
XSS
WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724)
CVE-2024-21724
6.1 - Medium
- February 29, 2024
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
XSS
Drupal Language File Parsing Exposes Env Vars
CVE-2023-40626
7.5 - High
- November 29, 2023
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
Joomla! 4.2-4.3 MFA Screen Open Redirect & XSS
CVE-2023-23754
6.1 - Medium
- May 30, 2023
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
Improper Input Validation
Joomla! 4.2.0-4.3.1 MFA Brute Force via Missing Rate Limiting
CVE-2023-23755
7.5 - High
- May 30, 2023
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
Improper Restriction of Excessive Authentication Attempts
Joomla! 4.0.0-4.2.7: Unauth Webservice Access
CVE-2023-23752
5.3 - Medium
- February 16, 2023
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Authorization
CSRF in Joomla! 4.0.0-4.2.6 PostInstall Msg Handling
CVE-2023-23750
6.3 - Medium
- February 01, 2023
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
Session Riding
Joomla! ACL Flaw in com_actionlogs 4.0.0-4.2.4
CVE-2023-23751
4.3 - Medium
- February 01, 2023
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
AuthZ
Reflected XSS in Joomla! 4.x com_media (before 4.2.5)
CVE-2022-27914
6.1 - Medium
- November 08, 2022
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
XSS
Joomla! 4.0.0-4.2.3 Debug Mode Exposes Prior Request Data
CVE-2022-27912
5.3 - Medium
- October 25, 2022
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
Information Disclosure
Joomla! 4.2.* Reflected XSS via Reflected Input in Various Components
CVE-2022-27913
6.1 - Medium
- October 25, 2022
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
XSS
Joomla! 4.2.0 Full Path Disclosure due to missing _JEXEC check
CVE-2022-27911
5.3 - Medium
- August 31, 2022
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
An issue was discovered in Joomla! 3.7.0 through 3.10.6
CVE-2022-23796
6.1 - Medium
- March 30, 2022
An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
XSS
An issue was discovered in Joomla! 4.0.0 through 4.1.0
CVE-2022-23801
6.1 - Medium
- March 30, 2022
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
XSS
An issue was discovered in Joomla! 4.0.0 through 4.1.0
CVE-2022-23800
6.1 - Medium
- March 30, 2022
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
XSS
An issue was discovered in Joomla! 4.0.0 through 4.1.0
CVE-2022-23799
9.8 - Critical
- March 30, 2022
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0
CVE-2022-23798
6.1 - Medium
- March 30, 2022
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.
Open Redirect
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0
CVE-2022-23797
9.8 - Critical
- March 30, 2022
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
SQL Injection
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0
CVE-2022-23793
7.5 - High
- March 30, 2022
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.
Directory traversal
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0
CVE-2022-23794
5.3 - Medium
- March 30, 2022
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.
Generation of Error Message Containing Sensitive Information
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0
CVE-2022-23795
9.8 - Critical
- March 30, 2022
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
authentification
