Joomla ! vulnerabilities
296 known vulnerabilities affecting joomla/joomla_!.
Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2
Vulnerabilities
Page 3 of 15
CVE-2019-14654P3HIGHCVSS 8.8v3.9.7v3.9.82019-08-05
CVE-2019-14654 [HIGH] CVE-2019-14654: In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.
nvd
CVE-2013-3242P4MEDIUMCVSS 5.5PoCv3.0.0v3.0.1+12 more2013-05-03
CVE-2013-3242 [MEDIUM] CWE-20 CVE-2013-3242: plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors.
nvd
CVE-2024-21726P3MEDIUMCVSS 6.5≥ 3.7.0, ≤ 3.10.15≥ 4.0.0, < 4.4.3+1 more2024-02-29
CVE-2024-21726 [MEDIUM] CWE-79 CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components.
Inadequate content filtering leads to XSS vulnerabilities in various components.
nvd
CVE-2018-11325P3CRITICALCVSS 9.8fixed in 3.8.82018-05-22
CVE-2018-11325 [CRITICAL] CWE-209 CVE-2018-11325: An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill pas
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.
nvd
CVE-2019-19846P3CRITICALCVSS 9.8≥ 2.5.0, ≤ 3.9.142019-12-18
CVE-2019-19846 [CRITICAL] CWE-89 CVE-2019-19846: In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries cau
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
nvd
CVE-2022-23797P3CRITICALCVSS 9.8≥ 3.0.0, ≤ 3.10.6≥ 4.0.0, ≤ 4.1.02022-03-30
CVE-2022-23797 [CRITICAL] CWE-89 CVE-2022-23797: An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
nvd
CVE-2025-25226P3CRITICALCVSS 9.8≥ 1.0.0, < 2.2.0≥ 3.0.0, < 3.4.02025-04-08
CVE-2025-25226 [CRITICAL] CWE-89 CVE-2025-25226: Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original databa
nvd
CVE-2011-1151P3CRITICALCVSS 9.1v1.6.02020-02-05
CVE-2011-1151 [CRITICAL] CWE-89 CVE-2011-1151: Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.
Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.
nvd
CVE-2019-11831P3CRITICALCVSS 9.8≥ 3.9.3, ≤ 3.9.52019-05-09
CVE-2019-11831 [CRITICAL] CWE-22 CVE-2019-11831: The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TY
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
nvd
CVE-2016-9836P3CRITICALCVSS 9.8≤ 3.6.42016-12-05
CVE-2016-9836 [CRITICAL] CWE-284 CVE-2016-9836: The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consi
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist t
nvd
CVE-2018-6377P3MEDIUMCVSS 6.1fixed in 3.8.42018-01-30
CVE-2018-6377 [MEDIUM] CWE-79 CVE-2018-6377: In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in m
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox
nvd
CVE-2018-17855P3HIGHCVSS 8.8≥ 1.5.0, < 3.8.132018-10-09
CVE-2018-17855 [HIGH] CWE-269 CVE-2018-17855: An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of
An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.
nvd
CVE-2018-15882P3CRITICALCVSS 9.8fixed in 3.8.122018-08-29
CVE-2018-15882 [CRITICAL] CWE-434 CVE-2018-15882: An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could a
An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.
nvd
CVE-2019-7743P3CRITICALCVSS 9.8≥ 2.5.0, ≤ 3.9.22019-02-12
CVE-2019-7743 [CRITICAL] CWE-502 CVE-2019-7743: An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objectio
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.
nvd
CVE-2022-23795P3CRITICALCVSS 9.8≥ 2.5.0, ≤ 3.10.6≥ 4.0.0, ≤ 4.1.02022-03-30
CVE-2022-23795 [CRITICAL] CWE-287 CVE-2022-23795: An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bo
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
nvd
CVE-2018-11323P3HIGHCVSS 8.8fixed in 3.8.82018-05-22
CVE-2018-11323 [HIGH] CWE-269 CVE-2018-11323: An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
nvd
CVE-2017-11364P3HIGHCVSS 8.8v1.0.0v1.0.1+132 more2017-08-02
CVE-2017-11364 [HIGH] CWE-295 CVE-2017-11364: The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which al
The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.
nvd
CVE-2026-40384P3HIGHCVSS 7.5≥ 4.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-40384 [HIGH] CWE-22 CVE-2026-40384: An improper validation of the search parameter of the com_media files API endpoint leads to a path t
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
nvd
CVE-2026-48902P3CRITICALCVSS 9.8≥ 3.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-48902 [CRITICAL] CWE-319 CVE-2026-48902: The password and username reset features created plain http links for https connections if the "Forc
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
nvd
CVE-2019-6263P4MEDIUMCVSS 4.8PoC≥ 2.5.0, < 3.9.22019-01-16
CVE-2019-6263 [MEDIUM] CWE-79 CVE-2019-6263: An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
nvd