cbcvebase.

Joomla ! vulnerabilities

296 known vulnerabilities affecting joomla/joomla_!.

Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2

Vulnerabilities

Page 4 of 15
CVE-2018-12712P3HIGHCVSS 8.8≥ 2.5.0, ≤ 3.8.82018-06-26
CVE-2018-12712 [HIGH] CWE-20 CVE-2018-12712: An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classn An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.
nvd
CVE-2014-6632P3HIGHCVSS 7.5v2.5.0v2.5.1+30 more2014-10-08
CVE-2014-6632 [HIGH] CWE-287 CVE-2014-6632: Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to aut Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
nvd
CVE-2021-26040P3CRITICALCVSS 9.1v4.0.02021-08-24
CVE-2021-26040 [CRITICAL] CWE-863 CVE-2021-26040: An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's perm An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.
nvd
CVE-2024-27185P3CRITICALCVSS 9.1≥ 3.0.0, < 3.10.17≥ 4.0.0, < 4.4.7+1 more2024-08-20
CVE-2024-27185 [CRITICAL] CWE-444 CVE-2024-27185: The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vecto The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
nvd
CVE-2016-9081P3CRITICALCVSS 9.8v3.4.4v3.4.5+9 more2017-01-23
CVE-2016-9081 [CRITICAL] CWE-255 CVE-2016-9081: Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.
nvd
CVE-2022-23799P3CRITICALCVSS 9.8≥ 4.0.0, ≤ 4.1.02022-03-30
CVE-2022-23799 [CRITICAL] CVE-2022-23799: An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollute An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
nvd
CVE-2015-8769P3HIGHCVSS 7.3v3.0.0v3.0.1+27 more2016-01-12
CVE-2015-8769 [HIGH] CWE-89 CVE-2015-8769: SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL co SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2026-23898P3HIGHCVSS 7.2≥ 3.0.0, < 5.4.4≥ 6.0.0, < 6.0.42026-04-01
CVE-2026-23898 [HIGH] CWE-73 CVE-2026-23898: Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
nvd
CVE-2021-23128P3CRITICALCVSS 9.1≥ 3.2.0, < 3.9.252021-03-04
CVE-2021-23128 [CRITICAL] CVE-2021-23128: An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval impleme An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.
nvd
CVE-2018-17856P3HIGHCVSS 7.2≥ 2.5.4, < 3.8.132018-10-09
CVE-2018-17856 [HIGH] CVE-2018-17856: An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled the ability of Administrator-level users to access com_joomlaupdate and trigger code execution.
nvd
CVE-2014-7984P3HIGHCVSS 7.5v2.5.0v2.5.1+32 more2014-10-08
CVE-2014-7984 [HIGH] CWE-264 CVE-2014-7984: Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and byp Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.
nvd
CVE-2021-23132P3HIGHCVSS 7.5≥ 3.0.0, < 3.9.252021-03-04
CVE-2021-23132 [HIGH] CVE-2021-23132: An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intend An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
nvd
CVE-2026-48896P3HIGHCVSS 7.5≥ 4.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-48896 [HIGH] CWE-287 CVE-2026-48896: Insufficient state checks lead to a vector that allows to bypass 2FA checks. Insufficient state checks lead to a vector that allows to bypass 2FA checks.
nvd
CVE-2020-35616P3HIGHCVSS 7.5≥ 1.7.0, ≤ 3.9.222020-12-28
CVE-2020-35616 [HIGH] CWE-20 CVE-2020-35616: An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.
nvd
CVE-2020-10238P3HIGHCVSS 7.5≥ 2.5.0, < 3.9.162020-03-16
CVE-2020-10238 [HIGH] CWE-668 CVE-2020-10238: An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
nvd
CVE-2021-23127P3CRITICALCVSS 9.1≥ 3.2.0, < 3.9.252021-03-04
CVE-2021-23127 [CRITICAL] CVE-2021-23127: An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
nvd
CVE-2018-11322P3HIGHCVSS 7.5fixed in 3.8.82018-05-22
CVE-2018-11322 [HIGH] CWE-434 CVE-2018-11322: An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR fi An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
nvd
CVE-2024-40749P3HIGHCVSS 7.5≥ 3.9.0, < 3.10.20≥ 4.0.0, < 4.4.10+1 more2025-01-07
CVE-2024-40749 [HIGH] CWE-284 CVE-2024-40749: Improper Access Controls allows access to protected views. Improper Access Controls allows access to protected views.
nvd
CVE-2026-48897P3HIGHCVSS 7.5≥ 4.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-48897 [HIGH] CWE-287 CVE-2026-48897: Insufficient state checks lead to a vector that allows to bypass 2FA checks. Insufficient state checks lead to a vector that allows to bypass 2FA checks.
nvd
CVE-2022-23793P3HIGHCVSS 7.5≥ 3.0.0, ≤ 3.10.6≥ 4.0.0, ≤ 4.1.02022-03-30
CVE-2022-23793 [HIGH] CWE-22 CVE-2022-23793: An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifi An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.
nvd
Joomla ! vulnerabilities | cvebase