VYPR

Bitnami package

joomla

pkg:bitnami/joomla

Vulnerabilities (102)

  • CVE-2026-23899HigApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    An improper access check allows unauthorized access to webservice endpoints.

  • CVE-2026-23898HigApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

  • CVE-2026-21632MedApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    Lack of output escaping for article titles leads to XSS vectors in various locations.

  • CVE-2026-21631MedApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    Lack of output escaping leads to a XSS vector in the multilingual associations component.

  • CVE-2026-21630HigApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

  • CVE-2026-21629HigApr 1, 2026
    affected >= 3.0.0, < 5.4.4fixed 5.4.4

    The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

  • CVE-2025-63082Jan 6, 2026
    affected >= 4.0.0, < 5.4.2fixed 5.4.2

    Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

  • CVE-2025-63083Jan 6, 2026
    affected >= 3.9.0, < 5.4.2fixed 5.4.2

    Lack of output escaping leads to a XSS vector in the pagebreak plugin.

  • CVE-2025-25226Apr 8, 2025
    affected >= 1.0.0, < 5.0.3fixed 5.0.3

    Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnera

  • CVE-2025-25227Apr 8, 2025
    affected >= 4.0.0, < 5.2.6fixed 5.2.6

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2024-40749Jan 7, 2025
    affected >= 3.9.0, < 5.2.3fixed 5.2.3

    Improper Access Controls allows access to protected views.

  • CVE-2024-40747Jan 7, 2025
    affected >= 4.0.0, < 5.2.3fixed 5.2.3

    Various module chromes didn't properly process inputs, leading to XSS vectors.

  • CVE-2024-40748Jan 7, 2025
    affected >= 3.9.0, < 5.2.3fixed 5.2.3

    Lack of output escaping in the id attribute of menu lists.

  • CVE-2024-27185Aug 20, 2024
    affected >= 3.0.0, < 5.1.3fixed 5.1.3

    The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

  • CVE-2024-27186Aug 20, 2024
    affected >= 4.0.0, < 5.1.3fixed 5.1.3

    The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

  • CVE-2024-27184Aug 20, 2024
    affected >= 3.4.6, < 5.1.3fixed 5.1.3

    Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

  • CVE-2024-40743Aug 20, 2024
    affected >= 3.0.0, < 5.1.3fixed 5.1.3

    The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

  • CVE-2024-27187Aug 20, 2024
    affected >= 4.0.0, < 5.1.3fixed 5.1.3

    Improper Access Controls allows backend users to overwrite their username when disallowed.

  • CVE-2024-21729Jul 9, 2024
    affected >= 4.0.0, < 5.1.2fixed 5.1.2

    Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.

  • CVE-2024-21730Jul 9, 2024
    affected >= 4.0.0, < 5.1.2fixed 5.1.2

    The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

Page 1 of 6