CVE-2026-30895

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the com_content component of Joomla! CMS due to insufficient output escaping in readmore links. Affected versions are Joomla! 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 [1]. The bug occurs when user-supplied input is used to generate readmore hyperlinks without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript.

Exploitation

An attacker needs to have write access to content—typically a user with the ability to create or edit articles—in order to craft a readmore link containing malicious script payloads. The attacker submits the malicious article; when a victim views the article and the readmore link is rendered, the injected script executes in the victim's browser [1]. No additional user interaction beyond following the link is required.

Impact

Successful exploitation leads to execution of attacker-controlled scripts in the context of the victim's session. This can result in session hijacking, defacement, or theft of sensitive information displayed in the browser. The impact is moderate because the attacker must have content editing privileges, but once delivered the XSS can affect any user who clicks the compromised readmore link [1].

Mitigation

The vulnerability is fixed in Joomla! CMS versions 5.4.6 and 6.1.1 [1]. Users are strongly advised to upgrade to the latest patched release immediately. There is no known workaround for unpatched instances. No KEV listing has been published as of the CVE date.