VYPR
patchPublished May 31, 2026· 1 source

Joomla! May 2026: 18 CVEs Including Critical SQLi, LFI, and Privilege Escalation Flaws

The Joomla Project disclosed 18 vulnerabilities on May 26, 2026, including six critical-severity bugs spanning SQL injection, local file inclusion, privilege escalation, and unauthorized webservice access.

The Joomla Project published 18 security advisories on May 26, 2026, covering a broad swath of the CMS — from core authentication and webservice endpoints to content components and media handling. Six of the CVEs carry a critical severity rating (CVSS 9.8), making this one of the largest single-day disclosure events for the platform in recent memory. The batch includes SQL injection, local file inclusion, privilege escalation, XSS, path traversal, CSRF, and a 2FA bypass, giving site administrators a substantial patch list to work through.

Three of the most severe bugs target the com_users component. CVE-2026-48904 (CVSS 9.8) is an improper access check in the group editing webservice endpoint that allows privilege escalation. CVE-2026-48898 (CVSS 9.8) similarly enables privilege escalation through the com_users batch task handler. Together, these two flaws could let an unauthenticated or low-privileged attacker elevate to full administrative rights on an unpatched site.

CVE-2026-35223 (CVSS 9.8) grants unauthorized access to com_config webservice endpoints, potentially exposing site configuration data. A fourth critical access-control issue, CVE-2026-48902 (CVSS 9.8), affects the password and username reset features — when the "Force SSL" flag is not explicitly set, the system generates plain HTTP links even for HTTPS connections, opening the door to man-in-the-middle interception of reset tokens.

Two critical SQL injection vulnerabilities were disclosed in core components. CVE-2026-35222 (CVSS 9.8) stems from improperly validated order clauses in com_tags, allowing an attacker to inject malicious SQL through tag listing parameters. CVE-2026-35221 (CVSS 9.8) arises from improperly built filter clauses in the search query for com_finder (Smart Search). Both can be exploited without authentication, making them especially dangerous for sites running the affected components.

CVE-2026-40383 (CVSS 9.8) is a local file inclusion vulnerability caused by improper validation of user-supplied input, potentially allowing an attacker to read sensitive files on the server. A related high-severity bug, CVE-2026-40384 (CVSS 7.5), is a path traversal in the com_media files API endpoint via improper validation of the search parameter, which could expose the directory structure and file contents of the Joomla installation.

Two high-severity CVEs — CVE-2026-48897 and CVE-2026-48896 (both CVSS 7.5) — describe insufficient state checks that allow attackers to bypass two-factor authentication. The exact vectors differ but both undermine the 2FA enforcement logic. Separately, CVE-2026-48901 (CVSS 7.5) affects the InputFilter::getInstance() method, which omitted a security-sensitive parameter from the instance cache key, potentially causing the wrong filter to be applied to user input in certain request sequences.

Six medium-severity XSS vulnerabilities round out the batch. CVE-2026-48905 (CVSS 6.1) is an XSS vector in the HTML filter code due to lack of input filtering. CVE-2026-48903 (CVSS 6.1) stems from inadequate content filtering within the checkAttribute methods, affecting various components. CVE-2026-30895 (CVSS 6.1) is an XSS in readmore links for com_content. CVE-2026-30894 (CVSS 6.1) affects the content history component. CVE-2026-25900 (CVSS 6.1) appears in the feed modules. All five are stored or reflected XSS that could allow an attacker to inject scripts into pages viewed by site administrators or visitors.

CVE-2026-35220 (CVSS 4.3) is a CSRF vulnerability in the admin activation endpoint of com_users — the endpoint lacks CSRF token validation, enabling cross-site request forgery attacks. CVE-2026-48900 (CVSS 4.3) is an improper access check that allowed low-privileged users to edit the task types of existing scheduler tasks, a minor but real privilege boundary violation.

The Joomla Project has released security patches addressing all 18 CVEs. Site administrators should update to the latest Joomla version immediately. As is standard practice, the project did not disclose technical details until a patched release was available. No reports of active exploitation in the wild have been confirmed at the time of publication, but the critical SQLi and LFI bugs are prime candidates for weaponization given their unauthenticated attack surface.

This disclosure event is notable not just for its size but for the breadth of attack surface it covers — from the authentication layer (2FA bypass, reset-link hijacking) to the data layer (SQLi, LFI) to the presentation layer (six XSS bugs). For organizations running Joomla, the patch cycle triggered by May 26 should be treated as a priority, particularly for the six critical-severity issues that require no authentication to exploit.

Synthesized by Vypr AI