VYPR

Joomla!

by Joomla

Source repositories

CVEs (393)

  • CVE-2015-8769HigJan 12, 2016
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2020-37226HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2020-37224HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2025-22213HigMar 11, 2025
    risk 0.46cvss epss 0.00

    Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

  • CVE-2025-22207MedFeb 18, 2025
    risk 0.44cvss epss 0.00

    Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler.

  • CVE-2018-6377MedJan 30, 2018
    risk 0.44cvss 6.1epss 0.58

    In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox

  • CVE-2018-15881HigAug 29, 2018
    risk 0.42cvss 7.5epss 0.02

    An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.

  • CVE-2018-11321MedMay 22, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

  • CVE-2017-7989MedApr 25, 2017
    risk 0.42cvss 6.5epss 0.01

    In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

  • CVE-2026-48905MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of input filtering leads to an XSS vector in the HTML filter code.

  • CVE-2026-48903MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

  • CVE-2026-30895MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the readmore links for com_content.

  • CVE-2026-30894MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the content history component.

  • CVE-2026-25901MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the multilingual associations component.

  • CVE-2026-25900MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the feed modules.

  • CVE-2023-54364MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the…

  • CVE-2023-54362MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the…

  • CVE-2023-54361MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter…

  • CVE-2023-54360MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers…

  • CVE-2026-23898HigApr 1, 2026
    risk 0.40cvss 7.2epss 0.00

    Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Page 3 of 20