Joomla ! vulnerabilities
296 known vulnerabilities affecting joomla/joomla_!.
Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2
Vulnerabilities
Page 5 of 15
CVE-2010-1434P3HIGHCVSS 7.5≥ 1.5.0, ≤ 1.5.15vJoomla core from 1.5.0 up to and including 1.5.152021-06-21
CVE-2010-1434 [HIGH] CWE-384 CVE-2010-1434: Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hi
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
nvd
CVE-2025-25227P3HIGHCVSS 7.5≥ 4.0.0, < 4.4.13≥ 5.0.0, < 5.2.62025-04-08
CVE-2025-25227 [HIGH] CWE-287 CVE-2025-25227: Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
nvd
CVE-2024-27187P3HIGHCVSS 7.5≥ 4.0.0, < 4.4.7≥ 5.0.0, < 5.1.32024-08-20
CVE-2024-27187 [HIGH] CWE-284 CVE-2024-27187: Improper Access Controls allows backend users to overwrite their username when disallowed.
Improper Access Controls allows backend users to overwrite their username when disallowed.
nvd
CVE-2024-21725P3MEDIUMCVSS 6.1≥ 4.0.0, < 4.4.3≥ 5.0.0, < 5.0.32024-02-29
CVE-2024-21725 [MEDIUM] CWE-79 CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
nvd
CVE-2020-35612P3HIGHCVSS 7.5≥ 2.5.0, ≤ 3.9.222020-12-28
CVE-2020-35612 [HIGH] CWE-22 CVE-2020-35612: An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image la
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
nvd
CVE-2026-48901P3HIGHCVSS 7.5≥ 4.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-48901 [HIGH] CWE-524 CVE-2026-48901: The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache
The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
nvd
CVE-2026-21629P3HIGHCVSS 7.3≥ 3.0.0, < 5.4.4≥ 6.0.0, < 6.0.42026-04-01
CVE-2026-21629 [HIGH] CWE-284 CVE-2026-21629: The ajax component was excluded from the default logged-in-user check in the administrative area. Th
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
nvd
CVE-2011-4909P4MEDIUMCVSS 4.3PoC≤ 1.5.11v1.5.0+10 more2012-10-07
CVE-2011-4909 [MEDIUM] CWE-79 CVE-2011-4909: Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3) plugins/system/legacy/html.php, or (4) templates/beez/html/com_content/article/form.p
nvd
CVE-2015-8565P3HIGHCVSS 7.5v3.2.0v3.2.1+14 more2015-12-16
CVE-2015-8565 [HIGH] CWE-20 CVE-2015-8565: Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remot
Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via unknown vectors.
nvd
CVE-2019-9713P3HIGHCVSS 7.5≥ 3.8.0, < 3.9.42019-03-12
CVE-2019-9713 [HIGH] CWE-862 CVE-2019-9713: An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing u
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
nvd
CVE-2020-35610P3HIGHCVSS 7.5≥ 2.5.0, ≤ 3.9.222020-12-28
CVE-2020-35610 [HIGH] CVE-2020-35610: An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder di
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
nvd
CVE-2020-13760P3HIGHCVSS 8.8≥ 3.7.1, < 3.9.19v3.7.02020-06-02
CVE-2020-13760 [HIGH] CWE-352 CVE-2020-13760: In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
nvd
CVE-2007-4188P3CRITICALCVSS 9.3fixed in 1.0.132007-08-08
CVE-2007-4188 [CRITICAL] CWE-384 CVE-2007-4188: Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hij
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.
nvd
CVE-2019-10946P3HIGHCVSS 7.5≥ 3.2.0, ≤ 3.9.42019-04-10
CVE-2019-10946 [HIGH] CWE-306 CVE-2019-10946: An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_use
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
nvd
CVE-2015-8564P3HIGHCVSS 7.5v3.4.0v3.4.1+3 more2015-12-16
CVE-2015-8564 [HIGH] CWE-20 CVE-2015-8564: Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unsp
Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive.
nvd
CVE-2012-2747P3HIGHCVSS 7.5v2.5.0v2.5.1+3 more2012-07-03
CVE-2012-2747 [HIGH] CVE-2012-2747: Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to gain privileges v
Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to gain privileges via unknown attack vectors related to "Inadequate checking."
nvd
CVE-2010-4166P3HIGHCVSS 7.5v1.5.0v1.5.1+20 more2011-01-18
CVE-2010-4166 [HIGH] CWE-89 CVE-2010-4166: Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to exec
Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3) the filter_order_Dir parameter in a com_messages action
nvd
CVE-2016-9837P3HIGHCVSS 7.5≤ 3.6.42016-12-16
CVE-2016-9837 [HIGH] CWE-264 CVE-2016-9837: An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.
An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as demonstrated by an index.php?option=com_content&view=article&id=1&template=beez3 reques
nvd
CVE-2021-26038P3HIGHCVSS 7.5≥ 2.5.0, ≤ 3.9.272021-07-07
CVE-2021-26038 [HIGH] CWE-754 CVE-2021-26038: An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the re
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already.
nvd
CVE-2010-1432P3HIGHCVSS 7.5≥ 1.5.0, ≤ 1.5.15vJoomla core from 1.5.0 up to and including 1.5.152021-06-21
CVE-2010-1432 [HIGH] CWE-200 CVE-2010-1432: Joomla! Core is prone to an information disclosure vulnerability. Attackers can exploit this issue t
Joomla! Core is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
nvd