Vendor CVEs
Joomla
All CVEs
1,051 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-63082 | 0.00 | — | 0.00 | Jan 6, 2026 | Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. | |||
| CVE-2025-63083 | 0.00 | — | 0.00 | Jan 6, 2026 | Lack of output escaping leads to a XSS vector in the pagebreak plugin. | |||
| CVE-2025-25227 | 0.00 | — | 0.00 | Apr 8, 2025 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | |||
| CVE-2025-22212 | 0.00 | — | 0.00 | Mar 5, 2025 | A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend. | |||
| CVE-2025-22209 | 0.00 | — | 0.00 | Feb 15, 2025 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'searchpaymentstatus' parameter in the Employer Payment History search feature. | |||
| CVE-2025-22206 | 0.00 | — | 0.09 | Feb 4, 2025 | A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.2 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'fieldfor' parameter in the GDPR Field feature. | |||
| CVE-2024-40749 | 0.00 | — | 0.00 | Jan 7, 2025 | Improper Access Controls allows access to protected views. | |||
| CVE-2024-40747 | 0.00 | — | 0.00 | Jan 7, 2025 | Various module chromes didn't properly process inputs, leading to XSS vectors. | |||
| CVE-2024-40748 | 0.00 | — | 0.00 | Jan 7, 2025 | Lack of output escaping in the id attribute of menu lists. | |||
| CVE-2024-40745 | 0.00 | — | 0.00 | Dec 4, 2024 | Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8. | |||
| CVE-2024-27185 | 0.00 | — | 0.00 | Aug 20, 2024 | The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. | |||
| CVE-2024-27186 | 0.00 | — | 0.00 | Aug 20, 2024 | The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions. | |||
| CVE-2024-27184 | 0.00 | — | 0.00 | Aug 20, 2024 | Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.. | |||
| CVE-2024-40743 | 0.00 | — | 0.00 | Aug 20, 2024 | The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors. | |||
| CVE-2024-27187 | 0.00 | — | 0.00 | Aug 20, 2024 | Improper Access Controls allows backend users to overwrite their username when disallowed. | |||
| CVE-2024-21729 | 0.00 | — | 0.00 | Jul 9, 2024 | Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field. | |||
| CVE-2024-21730 | 0.00 | — | 0.00 | Jul 9, 2024 | The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector. | |||
| CVE-2024-26279 | 0.00 | — | 0.00 | Jul 9, 2024 | The wrapper extensions do not correctly validate inputs, leading to XSS vectors. | |||
| CVE-2024-26278 | 0.00 | — | 0.00 | Jul 9, 2024 | The Custom Fields component not correctly filter inputs, leading to a XSS vector. | |||
| CVE-2024-21731 | 0.00 | — | 0.00 | Jul 9, 2024 | Improper handling of input could lead to an XSS vector in the StringHelper::truncate method. | |||
| CVE-2024-2045 | 0.00 | — | 0.00 | Feb 29, 2024 | Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments. | |||
| CVE-2024-21723 | 0.00 | — | 0.01 | Feb 20, 2024 | Inadequate parsing of URLs could result into an open redirect. | |||
| CVE-2024-21725 | 0.00 | — | 0.32 | Feb 20, 2024 | Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. | |||
| CVE-2024-21724 | 0.00 | — | 0.01 | Feb 20, 2024 | Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions. | |||
| CVE-2024-21722 | 0.00 | — | 0.01 | Feb 20, 2024 | The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. | |||
| CVE-2024-21726 | 0.00 | — | 0.49 | Feb 20, 2024 | Inadequate content filtering leads to XSS vulnerabilities in various components. | |||
| CVE-2024-21728 | 0.00 | — | 0.00 | Feb 15, 2024 | An Open Redirect vulnerability was found in osTicky2 below 2.2.8. osTicky (osTicket Bridge) by SmartCalc is a Joomla 3.x extension that provides Joomla fronted integration with osTicket, a popular Support ticket system. The Open Redirect vulnerability allows attackers to control… | |||
| CVE-2023-40627 | 0.00 | — | 0.00 | Dec 14, 2023 | A reflected XSS vulnerability was discovered in the LivingWord component for Joomla. | |||
| CVE-2023-40659 | 0.00 | — | 0.00 | Dec 14, 2023 | A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla. | |||
| CVE-2023-40629 | 0.00 | — | 0.01 | Dec 14, 2023 | SQLi vulnerability in LMS Lite component for Joomla. | |||
| CVE-2023-49708 | 0.00 | — | 0.01 | Dec 14, 2023 | SQLi vulnerability in Starshop component for Joomla. | |||
| CVE-2023-40656 | 0.00 | — | 0.00 | Dec 14, 2023 | A reflected XSS vulnerability was discovered in the Quickform component for Joomla. | |||
| CVE-2023-49707 | 0.00 | — | 0.01 | Dec 14, 2023 | SQLi vulnerability in S5 Register module for Joomla. | |||
| CVE-2023-40657 | 0.00 | — | 0.00 | Dec 14, 2023 | A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla. | |||
| CVE-2023-40630 | 0.00 | — | 0.01 | Dec 14, 2023 | Unauthenticated LFI/SSRF in JCDashboards component for Joomla. | |||
| CVE-2023-40655 | 0.00 | — | 0.00 | Dec 14, 2023 | A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla. | |||
| CVE-2023-40626 | 0.00 | — | 0.01 | Nov 29, 2023 | The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information. | |||
| CVE-2023-39971 | 0.00 | — | 0.00 | Aug 17, 2023 | Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3. | |||
| CVE-2023-39974 | 0.00 | — | 0.00 | Aug 17, 2023 | Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list. | |||
| CVE-2023-39972 | 0.00 | — | 0.00 | Aug 17, 2023 | Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists. | |||
| CVE-2023-39973 | 0.00 | — | 0.00 | Aug 17, 2023 | Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns. | |||
| CVE-2023-23754 | 0.00 | — | 0.00 | May 30, 2023 | An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen. | |||
| CVE-2023-23755 | 0.00 | — | 0.01 | May 30, 2023 | An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods. | |||
| CVE-2023-23751 | 0.00 | — | 0.00 | Feb 1, 2023 | An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | |||
| CVE-2023-23750 | 0.00 | — | 0.00 | Feb 1, 2023 | An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages. | |||
| CVE-2023-23749 | 0.00 | — | 0.01 | Jan 17, 2023 | The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database. | |||
| CVE-2022-27914 | 0.00 | — | 0.00 | Nov 8, 2022 | An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media. | |||
| CVE-2022-27913 | 0.00 | — | 0.00 | Oct 25, 2022 | An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components. | |||
| CVE-2022-27912 | 0.00 | — | 0.01 | Oct 25, 2022 | An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests. | |||
| CVE-2022-27911 | 0.00 | — | 0.00 | Aug 31, 2022 | An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes. |
- CVE-2025-63082Jan 6, 2026risk 0.00cvss —epss 0.00
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
- CVE-2025-63083Jan 6, 2026risk 0.00cvss —epss 0.00
Lack of output escaping leads to a XSS vector in the pagebreak plugin.
- CVE-2025-25227Apr 8, 2025risk 0.00cvss —epss 0.00
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- CVE-2025-22212Mar 5, 2025risk 0.00cvss —epss 0.00
A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.
- CVE-2025-22209Feb 15, 2025risk 0.00cvss —epss 0.00
A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'searchpaymentstatus' parameter in the Employer Payment History search feature.
- CVE-2025-22206Feb 4, 2025risk 0.00cvss —epss 0.09
A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.2 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'fieldfor' parameter in the GDPR Field feature.
- CVE-2024-40749Jan 7, 2025risk 0.00cvss —epss 0.00
Improper Access Controls allows access to protected views.
- CVE-2024-40747Jan 7, 2025risk 0.00cvss —epss 0.00
Various module chromes didn't properly process inputs, leading to XSS vectors.
- CVE-2024-40748Jan 7, 2025risk 0.00cvss —epss 0.00
Lack of output escaping in the id attribute of menu lists.
- CVE-2024-40745Dec 4, 2024risk 0.00cvss —epss 0.00
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
- CVE-2024-27185Aug 20, 2024risk 0.00cvss —epss 0.00
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
- CVE-2024-27186Aug 20, 2024risk 0.00cvss —epss 0.00
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
- CVE-2024-27184Aug 20, 2024risk 0.00cvss —epss 0.00
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
- CVE-2024-40743Aug 20, 2024risk 0.00cvss —epss 0.00
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
- CVE-2024-27187Aug 20, 2024risk 0.00cvss —epss 0.00
Improper Access Controls allows backend users to overwrite their username when disallowed.
- CVE-2024-21729Jul 9, 2024risk 0.00cvss —epss 0.00
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
- CVE-2024-21730Jul 9, 2024risk 0.00cvss —epss 0.00
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
- CVE-2024-26279Jul 9, 2024risk 0.00cvss —epss 0.00
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
- CVE-2024-26278Jul 9, 2024risk 0.00cvss —epss 0.00
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
- CVE-2024-21731Jul 9, 2024risk 0.00cvss —epss 0.00
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
- CVE-2024-2045Feb 29, 2024risk 0.00cvss —epss 0.00
Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.
- CVE-2024-21723Feb 20, 2024risk 0.00cvss —epss 0.01
Inadequate parsing of URLs could result into an open redirect.
- CVE-2024-21725Feb 20, 2024risk 0.00cvss —epss 0.32
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
- CVE-2024-21724Feb 20, 2024risk 0.00cvss —epss 0.01
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
- CVE-2024-21722Feb 20, 2024risk 0.00cvss —epss 0.01
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
- CVE-2024-21726Feb 20, 2024risk 0.00cvss —epss 0.49
Inadequate content filtering leads to XSS vulnerabilities in various components.
- CVE-2024-21728Feb 15, 2024risk 0.00cvss —epss 0.00
An Open Redirect vulnerability was found in osTicky2 below 2.2.8. osTicky (osTicket Bridge) by SmartCalc is a Joomla 3.x extension that provides Joomla fronted integration with osTicket, a popular Support ticket system. The Open Redirect vulnerability allows attackers to control…
- CVE-2023-40627Dec 14, 2023risk 0.00cvss —epss 0.00
A reflected XSS vulnerability was discovered in the LivingWord component for Joomla.
- CVE-2023-40659Dec 14, 2023risk 0.00cvss —epss 0.00
A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla.
- CVE-2023-40629Dec 14, 2023risk 0.00cvss —epss 0.01
SQLi vulnerability in LMS Lite component for Joomla.
- CVE-2023-49708Dec 14, 2023risk 0.00cvss —epss 0.01
SQLi vulnerability in Starshop component for Joomla.
- CVE-2023-40656Dec 14, 2023risk 0.00cvss —epss 0.00
A reflected XSS vulnerability was discovered in the Quickform component for Joomla.
- CVE-2023-49707Dec 14, 2023risk 0.00cvss —epss 0.01
SQLi vulnerability in S5 Register module for Joomla.
- CVE-2023-40657Dec 14, 2023risk 0.00cvss —epss 0.00
A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla.
- CVE-2023-40630Dec 14, 2023risk 0.00cvss —epss 0.01
Unauthenticated LFI/SSRF in JCDashboards component for Joomla.
- CVE-2023-40655Dec 14, 2023risk 0.00cvss —epss 0.00
A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla.
- CVE-2023-40626Nov 29, 2023risk 0.00cvss —epss 0.01
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
- CVE-2023-39971Aug 17, 2023risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3.
- CVE-2023-39974Aug 17, 2023risk 0.00cvss —epss 0.00
Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list.
- CVE-2023-39972Aug 17, 2023risk 0.00cvss —epss 0.00
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists.
- CVE-2023-39973Aug 17, 2023risk 0.00cvss —epss 0.00
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns.
- CVE-2023-23754May 30, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
- CVE-2023-23755May 30, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
- CVE-2023-23751Feb 1, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
- CVE-2023-23750Feb 1, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
- CVE-2023-23749Jan 17, 2023risk 0.00cvss —epss 0.01
The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database.
- CVE-2022-27914Nov 8, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
- CVE-2022-27913Oct 25, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
- CVE-2022-27912Oct 25, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
- CVE-2022-27911Aug 31, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
Page 15 of 22