Joomla ! vulnerabilities
296 known vulnerabilities affecting joomla/joomla_!.
Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2
Vulnerabilities
Page 7 of 15
CVE-2024-21722P4MEDIUMCVSS 6.3≥ 3.2.0, < 3.10.15≥ 4.0.0, < 4.4.3+1 more2024-02-29
CVE-2024-21722 [MEDIUM] CWE-613 CVE-2024-21722: The MFA management features did not properly terminate existing user sessions when a user's MFA meth
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
nvd
CVE-2018-11321P4MEDIUMCVSS 6.5fixed in 3.8.82018-05-22
CVE-2018-11321 [MEDIUM] CWE-20 CVE-2018-11321: An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows user
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
nvd
CVE-2006-4470P4HIGHCVSS 7.5fixed in 1.0.112006-08-31
CVE-2006-4470 [HIGH] CVE-2006-4470: Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defined, which allows attackers to
Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defined, which allows attackers to have an unknown impact, possibly resulting in PHP remote file inclusion.
nvd
CVE-2019-12764P4MEDIUMCVSS 6.5≥ 3.8.13, < 3.9.72019-06-11
CVE-2019-12764 [MEDIUM] CVE-2019-12764: An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be ma
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
nvd
CVE-2017-7989P4MEDIUMCVSS 6.5v3.2.0v3.2.1+26 more2017-04-25
CVE-2017-7989 [MEDIUM] CWE-434 CVE-2017-7989: In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege u
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
nvd
CVE-2012-1598P4HIGHCVSS 7.5v1.5.0v1.5.1+24 more2012-12-03
CVE-2012-1598 [HIGH] CWE-264 CVE-2012-1598: Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient rando
Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset vulnerability."
nvd
CVE-2020-15696P4MEDIUMCVSS 6.1≥ 3.0.0, ≤ 3.9.192020-07-15
CVE-2020-15696 [MEDIUM] CWE-79 CVE-2020-15696: An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS a
An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image.
nvd
CVE-2015-5397P4MEDIUMCVSS 6.8v3.2.0v3.2.1+13 more2015-07-14
CVE-2015-5397 [MEDIUM] CWE-352 CVE-2015-5397: Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.
Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload code via unknown vectors.
nvd
CVE-2021-26033P4MEDIUMCVSS 6.5≥ 3.0.0, ≤ 3.9.262021-05-26
CVE-2021-26033 [MEDIUM] CWE-352 CVE-2021-26033: An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnera
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
nvd
CVE-2020-15695P4MEDIUMCVSS 6.3≥ 3.9.0, ≤ 3.9.192020-07-15
CVE-2020-15695 [MEDIUM] CWE-352 CVE-2020-15695: An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request secti
An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
nvd
CVE-2020-15700P4MEDIUMCVSS 6.3≥ 3.7.0, ≤ 3.9.192020-07-15
CVE-2020-15700 [MEDIUM] CWE-352 CVE-2020-15700: An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoin
An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CSRF vulnerability.
nvd
CVE-2018-11324P4MEDIUMCVSS 5.9fixed in 3.8.82018-05-22
CVE-2018-11324 [MEDIUM] CWE-362 CVE-2018-11324: An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as rem
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
nvd
CVE-2006-4468P4MEDIUMCVSS 6.8fixed in 1.0.112006-08-31
CVE-2006-4468 [MEDIUM] CWE-20 CVE-2006-4468: Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow a
Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the lack of inclusion of globals.php in administrator/index.php; (5) the Admin User Manager; and (6) the poll
nvd
CVE-2015-8563P4MEDIUMCVSS 6.8v3.2.0v3.2.1+14 more2015-12-16
CVE-2015-8563 [MEDIUM] CWE-352 CVE-2015-8563: Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 thro
Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
nvd
CVE-2017-9934P4MEDIUMCVSS 6.1v1.7.3v1.7.4+73 more2017-07-17
CVE-2017-9934 [MEDIUM] CWE-79 CVE-2017-9934: Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to a
Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.
nvd
CVE-2021-26034P4MEDIUMCVSS 6.5≥ 3.0.0, ≤ 3.9.262021-05-26
CVE-2021-26034 [MEDIUM] CWE-352 CVE-2021-26034: An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnera
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
nvd
CVE-2020-35615P4MEDIUMCVSS 6.3≥ 2.5.0, ≤ 3.9.222020-12-28
CVE-2020-35615 [MEDIUM] CWE-352 CVE-2020-35615: An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport fe
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
nvd
CVE-2020-11890P4MEDIUMCVSS 5.3≥ 2.5.0, < 3.9.172020-04-21
CVE-2020-11890 [MEDIUM] CWE-20 CVE-2020-11890: An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.
nvd
CVE-2023-23750P4MEDIUMCVSS 6.3≥ 4.0.0, ≤ 4.2.62023-02-01
CVE-2023-23750 [MEDIUM] CWE-352 CVE-2023-23750: An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerab
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
nvd
CVE-2026-48905P4MEDIUMCVSS 6.1≥ 3.0.0, < 5.4.6≥ 6.0.0, < 6.1.02026-05-26
CVE-2026-48905 [MEDIUM] CWE-79 CVE-2026-48905: Lack of input filtering leads to an XSS vector in the HTML filter code.
Lack of input filtering leads to an XSS vector in the HTML filter code.
nvd