Medium severityNVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-30894

Description

Lack of output escaping leads to a XSS vector in the content history component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing output escaping in Joomla's content history component allows XSS attacks, affecting versions 3.0.0-5.4.5 and 6.0.0-6.1.0.

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in the content history component (com_contenthistory) of Joomla! CMS, caused by a lack of output escaping. Affected versions are 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0. [1]

Exploitation

An attacker must be able to inject malicious script into content history data. The exact attack vector is not detailed, but it likely requires some user interaction or the ability to create or modify content. The advisory rates the probability of exploitation as low. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's session, potentially leading to data theft, session hijacking, or other malicious actions. The impact is rated as moderate. [1]

Mitigation

Upgrade to Joomla! CMS version 5.4.6 or 6.1.1, released on 2026-05-26. No workarounds are provided in the advisory. [1]

References

Joomla! Developer Network

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Joomla/Joomla!inferred
Joomla/com_contenthistoryllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistorynvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000