CVE-2026-25900

Vulnerability

The Joomla! CMS feed modules fail to properly escape output, creating a reflected or stored cross-site scripting (XSS) vector [1]. The vulnerability affects Joomla! CMS versions 3.0.0 through 5.4.5 and versions 6.0.0 through 6.1.0 [1]. An attacker can inject malicious script code into the feed module output, which then executes in the browser of an administrator or other user viewing the affected page.

Exploitation

An attacker needs a role that allows them to create or modify feed module content (e.g., the Manager role or higher) to inject a crafted payload [1]. The attacker inserts script code into the title or other fields of a feed module. When an administrator or other privileged user loads the page containing the module, the injected script executes in their browser session. No race window or additional user interaction beyond viewing the page is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's Joomla! session. This can lead to information disclosure (e.g., stealing session cookies), modification of content, or further compromise of the administrative interface (confidentiality, integrity, availability) [1]. The impact is assessed as moderate by the vendor [1].

Mitigation

The vendor released fixed versions 5.4.6 and 6.1.1 on 2026-05-26 [1]. Upgrading to either of these versions resolves the lack of output escaping. There is no known workaround; users must apply the patch to eliminate the XSS vector. No evidence of exploitation in the wild or inclusion in CISA KEV has been published as of the advisory date.