VYPR

Bitnami package

joomla

pkg:bitnami/joomla

Vulnerabilities (122)

  • CVE-2026-48905MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Lack of input filtering leads to an XSS vector in the HTML filter code.

  • CVE-2026-48904CriMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

  • CVE-2026-48903MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

  • CVE-2026-48902CriMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

  • CVE-2026-48901HigMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

  • CVE-2026-48900MedMay 26, 2026
    affected >= 4.1.0, < 5.4.6fixed 5.4.6

    An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

  • CVE-2026-48899CriMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-48898CriMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-48897HigMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-48896HigMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-40384HigMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

  • CVE-2026-40383CriMay 26, 2026
    affected >= 3.2.1, < 5.4.6fixed 5.4.6

    An improper validation of user-supplied input leads to a local file inclusion vulnerability.

  • CVE-2026-35223CriMay 26, 2026
    affected >= 4.0.0, < 5.4.6fixed 5.4.6

    An improper access check allows unauthorized access to com_config webservice endpoints.

  • CVE-2026-35222CriMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

  • CVE-2026-35221CriMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

  • CVE-2026-35220MedMay 26, 2026
    affected >= 6.0.0, < 6.1.1fixed 6.1.1

    Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

  • CVE-2026-30895MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Lack of output escaping leads to a XSS vector in the readmore links for com_content.

  • CVE-2026-30894MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Lack of output escaping leads to a XSS vector in the content history component.

  • CVE-2026-25901MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Lack of output escaping leads to a XSS vector in the multilingual associations component.

  • CVE-2026-25900MedMay 26, 2026
    affected >= 3.0.0, < 5.4.6fixed 5.4.6

    Lack of output escaping leads to a XSS vector in the feed modules.

Page 1 of 7