VYPR

Vendor CVEs

Joomla

All CVEs

1,051 total · sorted by risk
  • CVE-2025-63082Jan 6, 2026
    risk 0.00cvss epss 0.00

    Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

  • CVE-2025-63083Jan 6, 2026
    risk 0.00cvss epss 0.00

    Lack of output escaping leads to a XSS vector in the pagebreak plugin.

  • CVE-2025-25227Apr 8, 2025
    risk 0.00cvss epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2025-22212Mar 5, 2025
    risk 0.00cvss epss 0.00

    A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.

  • CVE-2025-22209Feb 15, 2025
    risk 0.00cvss epss 0.00

    A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'searchpaymentstatus' parameter in the Employer Payment History search feature.

  • CVE-2025-22206Feb 4, 2025
    risk 0.00cvss epss 0.09

    A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.2 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'fieldfor' parameter in the GDPR Field feature.

  • CVE-2024-40749Jan 7, 2025
    risk 0.00cvss epss 0.00

    Improper Access Controls allows access to protected views.

  • CVE-2024-40747Jan 7, 2025
    risk 0.00cvss epss 0.00

    Various module chromes didn't properly process inputs, leading to XSS vectors.

  • CVE-2024-40748Jan 7, 2025
    risk 0.00cvss epss 0.00

    Lack of output escaping in the id attribute of menu lists.

  • CVE-2024-40745Dec 4, 2024
    risk 0.00cvss epss 0.00

    Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.

  • CVE-2024-27185Aug 20, 2024
    risk 0.00cvss epss 0.00

    The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

  • CVE-2024-27186Aug 20, 2024
    risk 0.00cvss epss 0.00

    The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

  • CVE-2024-27184Aug 20, 2024
    risk 0.00cvss epss 0.00

    Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

  • CVE-2024-40743Aug 20, 2024
    risk 0.00cvss epss 0.00

    The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

  • CVE-2024-27187Aug 20, 2024
    risk 0.00cvss epss 0.00

    Improper Access Controls allows backend users to overwrite their username when disallowed.

  • CVE-2024-21729Jul 9, 2024
    risk 0.00cvss epss 0.00

    Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.

  • CVE-2024-21730Jul 9, 2024
    risk 0.00cvss epss 0.00

    The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

  • CVE-2024-26279Jul 9, 2024
    risk 0.00cvss epss 0.00

    The wrapper extensions do not correctly validate inputs, leading to XSS vectors.

  • CVE-2024-26278Jul 9, 2024
    risk 0.00cvss epss 0.00

    The Custom Fields component not correctly filter inputs, leading to a XSS vector.

  • CVE-2024-21731Jul 9, 2024
    risk 0.00cvss epss 0.00

    Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.

  • CVE-2024-2045Feb 29, 2024
    risk 0.00cvss epss 0.00

    Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.

  • CVE-2024-21723Feb 20, 2024
    risk 0.00cvss epss 0.01

    Inadequate parsing of URLs could result into an open redirect.

  • CVE-2024-21725Feb 20, 2024
    risk 0.00cvss epss 0.32

    Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

  • CVE-2024-21724Feb 20, 2024
    risk 0.00cvss epss 0.01

    Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

  • CVE-2024-21722Feb 20, 2024
    risk 0.00cvss epss 0.01

    The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

  • CVE-2024-21726Feb 20, 2024
    risk 0.00cvss epss 0.49

    Inadequate content filtering leads to XSS vulnerabilities in various components.

  • CVE-2024-21728Feb 15, 2024
    risk 0.00cvss epss 0.00

    An Open Redirect vulnerability was found in osTicky2 below 2.2.8. osTicky (osTicket Bridge) by SmartCalc is a Joomla 3.x extension that provides Joomla fronted integration with osTicket, a popular Support ticket system. The Open Redirect vulnerability allows attackers to control…

  • CVE-2023-40627Dec 14, 2023
    risk 0.00cvss epss 0.00

    A reflected XSS vulnerability was discovered in the LivingWord component for Joomla.

  • CVE-2023-40659Dec 14, 2023
    risk 0.00cvss epss 0.00

    A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla.

  • CVE-2023-40629Dec 14, 2023
    risk 0.00cvss epss 0.01

    SQLi vulnerability in LMS Lite component for Joomla.

  • CVE-2023-49708Dec 14, 2023
    risk 0.00cvss epss 0.01

    SQLi vulnerability in Starshop component for Joomla.

  • CVE-2023-40656Dec 14, 2023
    risk 0.00cvss epss 0.00

    A reflected XSS vulnerability was discovered in the Quickform component for Joomla.

  • CVE-2023-49707Dec 14, 2023
    risk 0.00cvss epss 0.01

    SQLi vulnerability in S5 Register module for Joomla.

  • CVE-2023-40657Dec 14, 2023
    risk 0.00cvss epss 0.00

    A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla.

  • CVE-2023-40630Dec 14, 2023
    risk 0.00cvss epss 0.01

    Unauthenticated LFI/SSRF in JCDashboards component for Joomla.

  • CVE-2023-40655Dec 14, 2023
    risk 0.00cvss epss 0.00

    A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla.

  • CVE-2023-40626Nov 29, 2023
    risk 0.00cvss epss 0.01

    The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

  • CVE-2023-39971Aug 17, 2023
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3.

  • CVE-2023-39974Aug 17, 2023
    risk 0.00cvss epss 0.00

    Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list.

  • CVE-2023-39972Aug 17, 2023
    risk 0.00cvss epss 0.00

    Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists.

  • CVE-2023-39973Aug 17, 2023
    risk 0.00cvss epss 0.00

    Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns.

  • CVE-2023-23754May 30, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

  • CVE-2023-23755May 30, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.

  • CVE-2023-23751Feb 1, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.

  • CVE-2023-23750Feb 1, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

  • CVE-2023-23749Jan 17, 2023
    risk 0.00cvss epss 0.01

    The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database.

  • CVE-2022-27914Nov 8, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

  • CVE-2022-27913Oct 25, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

  • CVE-2022-27912Oct 25, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

  • CVE-2022-27911Aug 31, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.

Page 15 of 22