VYPR

Vendor CVEs

Joomla

All CVEs

1,051 total · sorted by risk
  • CVE-2018-6575CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JEXTN Classified 1.0.0 component for Joomla! via a view=boutique&sid= request.

  • CVE-2018-6398CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.

  • CVE-2018-6395CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.

  • CVE-2018-5984CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.

  • CVE-2017-17870CriDec 27, 2017
    risk 0.67cvss 9.8epss 0.03

    The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action.

  • CVE-2017-15966CriOct 29, 2017
    risk 0.67cvss 9.8epss 0.03

    The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.

  • CVE-2017-15965CriOct 29, 2017
    risk 0.67cvss 9.8epss 0.03

    The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.

  • CVE-2015-4073CriSep 20, 2017
    risk 0.67cvss 9.8epss 0.04

    Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary SQL commands via the…

  • CVE-2015-2798CriJul 25, 2017
    risk 0.67cvss 9.8epss 0.03

    SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2026-48904CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

  • CVE-2026-48902CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

  • CVE-2026-48898CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-40383CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper validation of user-supplied input leads to a local file inclusion vulnerability.

  • CVE-2026-35223CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows unauthorized access to com_config webservice endpoints.

  • CVE-2026-35222CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

  • CVE-2026-35221CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

  • CVE-2017-18345CriAug 26, 2018
    risk 0.64cvss 9.8epss 0.03

    The Joomanager component through 2.0.0 for Joomla! has an arbitrary file download issue, resulting in exposing the credentials of the database via an index.php?option=com_joomanager&controller=details&task=download&path=configuration.php request.

  • CVE-2018-11325CriMay 22, 2018
    risk 0.64cvss 9.8epss 0.04

    An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation…

  • CVE-2018-6376CriJan 30, 2018
    risk 0.64cvss 9.8epss 0.05

    In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

  • CVE-2017-16634CriNov 10, 2017
    risk 0.64cvss 9.8epss 0.04

    In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.

  • CVE-2017-15946CriOct 28, 2017
    risk 0.64cvss 9.8epss 0.01

    In the com_tag component 1.7.6 for Joomla!, a SQL injection vulnerability is located in the `tag` parameter to index.php. The request method to execute is GET.

  • CVE-2017-14596CriSep 20, 2017
    risk 0.64cvss 9.8epss 0.06

    In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.

  • CVE-2013-7429CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.02

    The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.

  • CVE-2017-5215CriMay 17, 2017
    risk 0.64cvss 9.8epss 0.04

    The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a rename attack that bypasses a "safe file extension" protection mechanism, leading to remote code execution.

  • CVE-2016-9081CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.02

    Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.

  • CVE-2016-10114CriJan 4, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the "aWeb Cart Watching System for Virtuemart" extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch.

  • CVE-2016-9836CriDec 5, 2016
    risk 0.64cvss 9.8epss 0.02

    The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt`…

  • CVE-2016-1000113CriOct 6, 2016
    risk 0.64cvss 9.8epss 0.03

    XSS and SQLi in huge IT gallery v1.1.5 for Joomla

  • CVE-2016-8870HigNov 4, 2016
    risk 0.62cvss 8.1epss 0.82

    The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration…

  • CVE-2025-49484HigJul 18, 2025
    risk 0.60cvss epss 0.03

    A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL commands via the 'cvid' parameter in the employee application feature.

  • CVE-2018-8045HigMar 15, 2018
    risk 0.60cvss 8.8epss 0.29

    In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

  • CVE-2018-6007HigJan 29, 2018
    risk 0.60cvss 8.8epss 0.02

    CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.

  • CVE-2015-7715HigOct 18, 2017
    risk 0.60cvss 8.8epss 0.03

    Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrator/index.php.

  • CVE-2025-54475HigAug 15, 2025
    risk 0.57cvss epss 0.00

    A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands.

  • CVE-2018-17858HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

  • CVE-2018-17855HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.

  • CVE-2018-15882CriAug 29, 2018
    risk 0.57cvss 9.8epss 0.03

    An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.

  • CVE-2018-12712HigJun 26, 2018
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.

  • CVE-2018-11323HigMay 22, 2018
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

  • CVE-2017-11364HigAug 2, 2017
    risk 0.57cvss 8.8epss 0.02

    The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

  • CVE-2015-4075HigSep 20, 2017
    risk 0.56cvss 8.1epss 0.07

    The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.

  • CVE-2015-4074HigSep 20, 2017
    risk 0.56cvss 7.5epss 0.57

    Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.

  • CVE-2018-10063HigApr 12, 2018
    risk 0.54cvss 7.8epss 0.10

    The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.

  • CVE-2018-25433HigJun 1, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted…

  • CVE-2018-25351HigMay 23, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL…

  • CVE-2018-25330HigMay 17, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address…

  • CVE-2020-37218HigMay 13, 2026
    risk 0.53cvss 8.2epss 0.00

    Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL…

  • CVE-2025-53204HigAug 20, 2025
    risk 0.53cvss 8.1epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist eventlist allows PHP Local File Inclusion.This issue affects eventlist: from n/a through <= 1.9.2.

  • CVE-2018-6397HigJan 30, 2018
    risk 0.53cvss 7.5epss 0.12

    Directory Traversal exists in the Picture Calendar 3.1.4 component for Joomla! via the list.php folder parameter.

  • CVE-2016-9838HigDec 16, 2016
    risk 0.53cvss 7.5epss 0.14

    An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group…

Page 2 of 22