CVE-2026-21631

Vulnerability

Overview CVE-2026-21631 is a stored cross-site scripting (XSS) vulnerability in Joomla! CMS, specifically in the com_associations component's comparison view. The root cause is the lack of proper output escaping when rendering attacker-controlled title data into an HTML attribute in the backend interface. This allows an attacker to break out of the intended attribute context and inject executable JavaScript [1][2].

Exploitation

Prerequisites Exploitation requires an authenticated user who can create or edit content with multilingual associations, such as articles. The attacker stores a malicious payload (e.g., XSSPoc" onload="alert(1337)) in the title field. When a privileged backend user accesses the associations comparison page, the payload is rendered without escaping, enabling attribute injection [1].

Impact

The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to data theft, session hijacking, or further administrative actions. The scope may change if the injected script interacts with other resources [1][2].

Mitigation

The vulnerability affects Joomla! versions 4.0.0-5.4.3 and 6.0.0-6.0.3. It is fixed in versions 5.4.4 and 6.0.4. Users are advised to upgrade to the latest patched versions [2].