CVE-2026-25901

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Joomla! CMS due to a lack of output escaping in the multilingual associations component [1]. The flaw affects all Joomla! versions from 4.0.0 through 5.4.5 and from 6.0.0 through 6.1.0 [1]. The vulnerable code path is reachable when an authenticated user with sufficient privileges creates or edits multilingual association entries [1].

Exploitation

An attacker who has an account with the ability to manage multilingual associations can inject arbitrary JavaScript or HTML into association fields [1]. No additional network position beyond normal authenticated access is required, and no race condition is involved. The injected payload is stored and later executed when any user (including administrators) views the affected page [1]. The likelihood of exploitation is considered Low, and the severity Moderate [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of another user's browser session [1]. This can lead to information disclosure (e.g., stealing session cookies), manipulation of page content, or other actions that the victim user can perform [1]. The attack scope is within the same origin, and the attacker gains no direct server-side access [1].

Mitigation

The vulnerability is fixed in Joomla! CMS versions 5.4.6 and 6.1.1, released on 2026-05-26 [1]. Users should upgrade to these or later versions immediately [1]. No workarounds are documented for unpatched installations [1]. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].