Known Vulnerabilities for products from Joomla
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Joomla".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-48905 json | Lack of input filtering leads to an XSS vector in the HTML filter code. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48904 json | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48903 json | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48902 json | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explic... | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-48901 json | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-48900 json | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48899 json | An improper access check allows privilege escalation through the com_users batch task. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48898 json | An improper access check allows privilege escalation through the com_users batch task. | Not Provided | 2026-05-26 | 2026-05-26 |
| CVE-2026-48897 json | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-48896 json | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-40384 json | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-40383 json | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-35223 json | An improper access check allows unauthorized access to com_config webservice endpoints. | Not Provided | 2026-05-26 | 2026-05-28 |
| CVE-2026-35222 json | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-35221 json | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-35220 json | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-34424 json | Not Provided | 2026-04-09 | 2026-04-09 | |
| CVE-2026-30895 json | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-30894 json | Lack of output escaping leads to a XSS vector in the content history component. | Not Provided | 2026-05-26 | 2026-05-27 |
| CVE-2026-25901 json | Lack of output escaping leads to a XSS vector in the multilingual associations component. | Not Provided | 2026-05-26 | 2026-05-27 |