Joomla!
by Joomla
Source repositories
CVEs (393)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-8769 | Hig | 0.48 | 7.3 | 0.01 | Jan 12, 2016 | SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2020-37226 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'… | ||
| CVE-2020-37224 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'… | ||
| CVE-2025-22213 | Hig | 0.46 | — | 0.00 | Mar 11, 2025 | Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions. | ||
| CVE-2025-22207 | Med | 0.44 | — | 0.00 | Feb 18, 2025 | Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler. | ||
| CVE-2018-6377 | Med | 0.44 | 6.1 | 0.58 | Jan 30, 2018 | In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox | ||
| CVE-2018-15881 | Hig | 0.42 | 7.5 | 0.02 | Aug 29, 2018 | An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation. | ||
| CVE-2018-11321 | Med | 0.42 | 6.5 | 0.02 | May 22, 2018 | An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. | ||
| CVE-2017-7989 | Med | 0.42 | 6.5 | 0.01 | Apr 25, 2017 | In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden. | ||
| CVE-2026-48905 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Lack of input filtering leads to an XSS vector in the HTML filter code. | ||
| CVE-2026-48903 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | ||
| CVE-2026-30895 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | ||
| CVE-2026-30894 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the content history component. | ||
| CVE-2026-25901 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | ||
| CVE-2026-25900 | Med | 0.40 | 6.1 | 0.00 | May 26, 2026 | Lack of output escaping leads to a XSS vector in the feed modules. | ||
| CVE-2023-54364 | Med | 0.40 | 6.1 | 0.00 | Apr 9, 2026 | Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the… | ||
| CVE-2023-54362 | Med | 0.40 | 6.1 | 0.00 | Apr 9, 2026 | Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the… | ||
| CVE-2023-54361 | Med | 0.40 | 6.1 | 0.00 | Apr 9, 2026 | Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter… | ||
| CVE-2023-54360 | Med | 0.40 | 6.1 | 0.00 | Apr 9, 2026 | Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers… | ||
| CVE-2026-23898 | Hig | 0.40 | 7.2 | 0.00 | Apr 1, 2026 | Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. |
- risk 0.48cvss 7.3epss 0.01
SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.46cvss 7.1epss 0.00
Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…
- risk 0.46cvss 7.1epss 0.00
Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…
- risk 0.46cvss —epss 0.00
Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.
- risk 0.44cvss —epss 0.00
Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler.
- risk 0.44cvss 6.1epss 0.58
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox
- risk 0.42cvss 7.5epss 0.02
An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.
- risk 0.42cvss 6.5epss 0.02
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
- risk 0.42cvss 6.5epss 0.01
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
- risk 0.40cvss 6.1epss 0.00
Lack of input filtering leads to an XSS vector in the HTML filter code.
- risk 0.40cvss 6.1epss 0.00
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
- risk 0.40cvss 6.1epss 0.00
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
- risk 0.40cvss 6.1epss 0.00
Lack of output escaping leads to a XSS vector in the content history component.
- risk 0.40cvss 6.1epss 0.00
Lack of output escaping leads to a XSS vector in the multilingual associations component.
- risk 0.40cvss 6.1epss 0.00
Lack of output escaping leads to a XSS vector in the feed modules.
- risk 0.40cvss 6.1epss 0.00
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the…
- risk 0.40cvss 6.1epss 0.00
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the…
- risk 0.40cvss 6.1epss 0.00
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter…
- risk 0.40cvss 6.1epss 0.00
Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers…
- risk 0.40cvss 7.2epss 0.00
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
Page 3 of 20