Bitnami package
joomla
pkg:bitnami/joomla
Vulnerabilities (122)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48905 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Lack of input filtering leads to an XSS vector in the HTML filter code. | |
| CVE-2026-48904 | Cri | 9.8 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | |
| CVE-2026-48903 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | |
| CVE-2026-48902 | Cri | 9.8 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | |
| CVE-2026-48901 | Hig | 7.5 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | |
| CVE-2026-48900 | Med | 4.3 | >= 4.1.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | |
| CVE-2026-48899 | Cri | 9.8 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper access check allows privilege escalation through the com_users batch task. | |
| CVE-2026-48898 | Cri | 9.8 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper access check allows privilege escalation through the com_users batch task. | |
| CVE-2026-48897 | Hig | 7.5 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | |
| CVE-2026-48896 | Hig | 7.5 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | |
| CVE-2026-40384 | Hig | 7.5 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | |
| CVE-2026-40383 | Cri | 9.8 | >= 3.2.1, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | |
| CVE-2026-35223 | Cri | 9.8 | >= 4.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | An improper access check allows unauthorized access to com_config webservice endpoints. | |
| CVE-2026-35222 | Cri | 9.8 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | |
| CVE-2026-35221 | Cri | 9.8 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | |
| CVE-2026-35220 | Med | 4.3 | >= 6.0.0, < 6.1.1 | 6.1.1 | May 26, 2026 | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | |
| CVE-2026-30895 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | |
| CVE-2026-30894 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the content history component. | |
| CVE-2026-25901 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | |
| CVE-2026-25900 | Med | 6.1 | >= 3.0.0, < 5.4.6 | 5.4.6 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the feed modules. |
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Lack of input filtering leads to an XSS vector in the HTML filter code.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
- affected >= 4.1.0, < 5.4.6fixed 5.4.6
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
An improper access check allows privilege escalation through the com_users batch task.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
An improper access check allows privilege escalation through the com_users batch task.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
- affected >= 3.2.1, < 5.4.6fixed 5.4.6
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
- affected >= 4.0.0, < 5.4.6fixed 5.4.6
An improper access check allows unauthorized access to com_config webservice endpoints.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
- affected >= 6.0.0, < 6.1.1fixed 6.1.1
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Lack of output escaping leads to a XSS vector in the content history component.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Lack of output escaping leads to a XSS vector in the multilingual associations component.
- affected >= 3.0.0, < 5.4.6fixed 5.4.6
Lack of output escaping leads to a XSS vector in the feed modules.
Page 1 of 7