CVE-2026-48903
published 2026-05-26CVE-2026-48903: Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.14%
4.0th percentile
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla!_project | joomla!_framework_filter_package | — | — |
| joomla!_project | joomla!_framework_filter_package | — | — |
| joomla | joomla_! | >= 3.0.0 < 5.4.6 | 5.4.6 |
| joomla | joomla_! | >= 6.0.0 < 6.1.1 | 6.1.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r82q-7896-84h5: Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components
ghsa_unreviewed·2026-05-26
CVE-2026-48903 [MEDIUM] CWE-79 GHSA-r82q-7896-84h5: Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
VulDB
Framework Filter Package up to 3.0.5/4.0.1 on Joomla checkAttribute cross site scripting
vuldb·2026-05-26·CVSS 6.9
CVE-2026-48903 [MEDIUM] Framework Filter Package up to 3.0.5/4.0.1 on Joomla checkAttribute cross site scripting
A vulnerability, which was classified as problematic, has been found in Framework Filter Package up to 3.0.5/4.0.1 on Joomla. This impacts the function checkAttribute. This manipulation causes cross site scripting.
This vulnerability is tracked as CVE-2026-48903. The attack is possible to be carried out remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published