cbcvebase.

Joomla ! vulnerabilities

296 known vulnerabilities affecting joomla/joomla_!.

Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2

Vulnerabilities

Page 8 of 15
CVE-2020-15698P4MEDIUMCVSS 5.3≥ 3.0.0, ≤ 3.9.192020-07-15
CVE-2020-15698 [MEDIUM] CVE-2020-15698: An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information sc An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or proxy credentials
nvd
CVE-2008-4122P4HIGHCVSS 7.5v1.5.82008-12-19
CVE-2008-4122 [HIGH] CWE-319 CVE-2008-4122: Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes i Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
nvd
CVE-2006-4471P4MEDIUMCVSS 6.5fixed in 1.0.112006-08-31
CVE-2006-4471 [MEDIUM] CWE-434 CVE-2006-4471: The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to u The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to upload files outside of the /images/stories/ directory via unspecified vectors.
nvd
CVE-2018-6380P4MEDIUMCVSS 6.1fixed in 3.8.42018-01-30
CVE-2018-6380 [MEDIUM] CWE-79 CVE-2018-6380: In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
nvd
CVE-2018-6379P4MEDIUMCVSS 6.1fixed in 3.8.42018-01-30
CVE-2018-6379 [MEDIUM] CWE-79 CVE-2018-6379: In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.
nvd
CVE-2018-12711P4MEDIUMCVSS 6.1≥ 1.6.0, ≤ 3.8.82018-06-26
CVE-2018-12711 [MEDIUM] CWE-79 CVE-2018-12711: An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3. An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL.
nvd
CVE-2020-24598P4MEDIUMCVSS 6.1≥ 3.0.0, < 3.9.212020-08-26
CVE-2020-24598 [MEDIUM] CWE-601 CVE-2020-24598: An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of co An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect.
nvd
CVE-2021-26035P4MEDIUMCVSS 6.1≥ 3.0.0, ≤ 3.9.272021-07-07
CVE-2021-26035 [MEDIUM] CWE-79 CVE-2021-26035: An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of t An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability.
nvd
CVE-2026-25901P4MEDIUMCVSS 6.1≥ 3.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-25901 [MEDIUM] CWE-79 CVE-2026-25901: Lack of output escaping leads to a XSS vector in the multilingual associations component. Lack of output escaping leads to a XSS vector in the multilingual associations component.
nvd
CVE-2026-30894P4MEDIUMCVSS 6.1≥ 3.0.0, < 5.4.6≥ 6.0.0, < 6.1.12026-05-26
CVE-2026-30894 [MEDIUM] CWE-79 CVE-2026-30894: Lack of output escaping leads to a XSS vector in the content history component. Lack of output escaping leads to a XSS vector in the content history component.
nvd
CVE-2025-63083P4MEDIUMCVSS 6.1≥ 3.9.0, < 5.4.2≥ 6.0.0, < 6.0.22026-01-06
CVE-2025-63083 [MEDIUM] CWE-79 CVE-2025-63083: Lack of output escaping leads to a XSS vector in the pagebreak plugin. Lack of output escaping leads to a XSS vector in the pagebreak plugin.
nvd
CVE-2025-63082P4MEDIUMCVSS 6.1≥ 4.0.0, < 5.4.2≥ 6.0.0, < 6.0.22026-01-06
CVE-2025-63082 [MEDIUM] CWE-79 CVE-2025-63082: Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img t Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
nvd
CVE-2019-19845P4MEDIUMCVSS 5.3≥ 3.8.0, < 3.9.142019-12-18
CVE-2019-19845 [MEDIUM] CWE-22 CVE-2019-19845: In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure. In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
nvd
CVE-2019-18674P4MEDIUMCVSS 5.3≥ 3.6.0, < 3.9.132019-11-06
CVE-2019-18674 [MEDIUM] CWE-862 CVE-2019-18674: An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping file An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
nvd
CVE-2020-11891P4MEDIUMCVSS 5.3≥ 3.8.8, < 3.9.172020-04-21
CVE-2020-11891 [MEDIUM] CVE-2020-11891: An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section o An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
nvd
CVE-2020-11889P4MEDIUMCVSS 5.3≥ 2.5.0, < 3.9.172020-04-21
CVE-2020-11889 [MEDIUM] CVE-2020-11889: An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section o An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
nvd
CVE-2026-21631P4MEDIUMCVSS 5.4≥ 3.0.0, < 5.4.4≥ 6.0.0, < 6.0.42026-04-01
CVE-2026-21631 [MEDIUM] CWE-79 CVE-2026-21631: Lack of output escaping leads to a XSS vector in the multilingual associations component. Lack of output escaping leads to a XSS vector in the multilingual associations component.
nvd
CVE-2020-24599P4MEDIUMCVSS 6.1≥ 3.9.0, < 3.9.212020-08-26
CVE-2020-24599 [MEDIUM] CWE-79 CVE-2020-24599: An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS a An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks.
nvd
CVE-2020-10242P4MEDIUMCVSS 6.1≥ 3.0.0, < 3.9.162020-03-16
CVE-2020-10242 [MEDIUM] CWE-79 CVE-2020-10242: An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protos An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks.
nvd
CVE-2019-7739P4MEDIUMCVSS 6.1≥ 2.5.0, ≤ 3.9.22019-02-12
CVE-2019-7739 [MEDIUM] CVE-2019-7739: An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child setti An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this.
nvd
Joomla ! vulnerabilities | cvebase