VYPR

Joomla!

by Joomla

Source repositories

CVEs (393)

  • CVE-2016-10033CriKEVDec 30, 2016
    risk 0.80cvss 9.8epss 1.00

    The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

  • CVE-2017-8917CriMay 17, 2017
    risk 0.75cvss 9.8epss 1.00

    SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-8869CriNov 4, 2016
    risk 0.74cvss 9.8epss 0.97

    The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

  • CVE-2016-10045CriDec 30, 2016
    risk 0.68cvss 9.8epss 0.98

    The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail…

  • CVE-2018-5990CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.

  • CVE-2026-48904CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

  • CVE-2026-48902CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

  • CVE-2026-48898CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-40383CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper validation of user-supplied input leads to a local file inclusion vulnerability.

  • CVE-2026-35223CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows unauthorized access to com_config webservice endpoints.

  • CVE-2026-35222CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

  • CVE-2026-35221CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

  • CVE-2018-11325CriMay 22, 2018
    risk 0.64cvss 9.8epss 0.04

    An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation…

  • CVE-2018-6376CriJan 30, 2018
    risk 0.64cvss 9.8epss 0.05

    In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

  • CVE-2017-16634CriNov 10, 2017
    risk 0.64cvss 9.8epss 0.04

    In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.

  • CVE-2017-14596CriSep 20, 2017
    risk 0.64cvss 9.8epss 0.06

    In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.

  • CVE-2016-9081CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.02

    Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.

  • CVE-2016-9836CriDec 5, 2016
    risk 0.64cvss 9.8epss 0.02

    The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt`…

  • CVE-2016-8870HigNov 4, 2016
    risk 0.62cvss 8.1epss 0.82

    The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration…

  • CVE-2018-8045HigMar 15, 2018
    risk 0.60cvss 8.8epss 0.29

    In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

Page 1 of 20