Joomla!
by Joomla
Source repositories
CVEs (393)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-21632 | Med | 0.28 | 5.4 | 0.00 | Apr 1, 2026 | Lack of output escaping for article titles leads to XSS vectors in various locations. | ||
| CVE-2026-21631 | Med | 0.28 | 5.4 | 0.00 | Apr 1, 2026 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | ||
| CVE-2018-17859 | Med | 0.28 | 4.3 | 0.01 | Oct 9, 2018 | An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms. | ||
| CVE-2018-17857 | Med | 0.28 | 4.3 | 0.01 | Oct 9, 2018 | An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. | ||
| CVE-2018-15880 | Med | 0.28 | 5.4 | 0.01 | Aug 29, 2018 | An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack. | ||
| CVE-2018-11327 | Med | 0.28 | 4.3 | 0.01 | May 22, 2018 | An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission. | ||
| CVE-2017-16633 | Med | 0.28 | 4.3 | 0.02 | Nov 10, 2017 | In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. | ||
| CVE-2025-54476 | Med | 0.24 | — | 0.00 | Sep 30, 2025 | Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class. | ||
| CVE-2017-14595 | Low | 0.24 | 3.7 | 0.02 | Sep 20, 2017 | In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. | ||
| CVE-2023-23752 | 0.16 | — | 1.00 | KEV | Feb 16, 2023 | An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | ||
| CVE-2015-8562 | 0.11 | — | 0.98 | Dec 16, 2015 | Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015. | |||
| CVE-2015-7857 | 0.11 | — | 0.94 | Oct 29, 2015 | SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php. | |||
| CVE-2015-7297 | 0.11 | — | 1.00 | Oct 29, 2015 | SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858. | |||
| CVE-2015-7858 | 0.10 | — | 0.85 | Oct 29, 2015 | SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297. | |||
| CVE-2019-10945 | 0.09 | — | 0.38 | Apr 10, 2019 | An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory. | |||
| CVE-2014-7228 | 0.07 | — | 0.55 | Nov 3, 2014 | Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and… | |||
| CVE-2007-2199 | 0.07 | — | 0.47 | Apr 24, 2007 | PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG… | |||
| CVE-2011-4906 | 0.06 | — | 0.10 | Feb 12, 2020 | Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution. | |||
| CVE-2007-5457 | 0.06 | — | 0.38 | Oct 14, 2007 | Multiple PHP remote file inclusion vulnerabilities in Michael Dempfle Joomla Flash Uploader (com_jfu or com_joomla_flash_uploader) 2.5.1 component for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1)… | |||
| CVE-2007-5451 | 0.06 | — | 0.31 | Oct 14, 2007 | PHP remote file inclusion vulnerability in admin.color.php in the com_colorlab (aka com_color) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. |
- risk 0.28cvss 5.4epss 0.00
Lack of output escaping for article titles leads to XSS vectors in various locations.
- risk 0.28cvss 5.4epss 0.00
Lack of output escaping leads to a XSS vector in the multilingual associations component.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation.
- risk 0.28cvss 5.4epss 0.01
An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission.
- risk 0.28cvss 4.3epss 0.02
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.
- risk 0.24cvss —epss 0.00
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
- risk 0.24cvss 3.7epss 0.02
In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.
- risk 0.16cvss —epss 1.00
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
- CVE-2015-8562Dec 16, 2015risk 0.11cvss —epss 0.98
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
- CVE-2015-7857Oct 29, 2015risk 0.11cvss —epss 0.94
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.
- CVE-2015-7297Oct 29, 2015risk 0.11cvss —epss 1.00
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
- CVE-2015-7858Oct 29, 2015risk 0.10cvss —epss 0.85
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
- CVE-2019-10945Apr 10, 2019risk 0.09cvss —epss 0.38
An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.
- CVE-2014-7228Nov 3, 2014risk 0.07cvss —epss 0.55
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and…
- CVE-2007-2199Apr 24, 2007risk 0.07cvss —epss 0.47
PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG…
- CVE-2011-4906Feb 12, 2020risk 0.06cvss —epss 0.10
Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.
- CVE-2007-5457Oct 14, 2007risk 0.06cvss —epss 0.38
Multiple PHP remote file inclusion vulnerabilities in Michael Dempfle Joomla Flash Uploader (com_jfu or com_joomla_flash_uploader) 2.5.1 component for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1)…
- CVE-2007-5451Oct 14, 2007risk 0.06cvss —epss 0.31
PHP remote file inclusion vulnerability in admin.color.php in the com_colorlab (aka com_color) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
Page 5 of 20