VYPR

Joomla!

by Joomla

Source repositories

CVEs (393)

  • CVE-2018-6007HigJan 29, 2018
    risk 0.60cvss 8.8epss 0.02

    CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.

  • CVE-2018-17858HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

  • CVE-2018-17855HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.

  • CVE-2018-15882CriAug 29, 2018
    risk 0.57cvss 9.8epss 0.03

    An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.

  • CVE-2018-12712HigJun 26, 2018
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.

  • CVE-2018-11323HigMay 22, 2018
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

  • CVE-2017-11364HigAug 2, 2017
    risk 0.57cvss 8.8epss 0.02

    The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

  • CVE-2020-37218HigMay 13, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL…

  • CVE-2016-9838HigDec 16, 2016
    risk 0.53cvss 7.5epss 0.14

    An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group…

  • CVE-2026-23899HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    An improper access check allows unauthorized access to webservice endpoints.

  • CVE-2026-21630HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

  • CVE-2026-48901HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

  • CVE-2026-48897HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-48896HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-40384HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

  • CVE-2020-37219HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files…

  • CVE-2018-11322HigMay 22, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.

  • CVE-2017-9933HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.

  • CVE-2016-9837HigDec 16, 2016
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as…

  • CVE-2008-4122HigDec 19, 2008
    risk 0.49cvss 7.5epss 0.01

    Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

Page 2 of 20