VYPR

Vendor CVEs

Joomla

All CVEs

1,051 total · sorted by risk
  • CVE-2018-7317HigFeb 22, 2018
    risk 0.52cvss 7.5epss 0.08

    Backup Download exists in the Proclaim 9.1.1 component for Joomla! via a direct request for a .sql file under backup/.

  • CVE-2018-6610HigFeb 5, 2018
    risk 0.52cvss 7.5epss 0.08

    Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.

  • CVE-2026-23899HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    An improper access check allows unauthorized access to webservice endpoints.

  • CVE-2026-21630HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

  • CVE-2026-48901HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

  • CVE-2026-48897HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-48896HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2026-40384HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

  • CVE-2020-37219HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files…

  • CVE-2018-11322HigMay 22, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.

  • CVE-2013-7428HigSep 7, 2017
    risk 0.49cvss 7.5epss 0.02

    The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to cause a denial of service via the url parameter to plugin_googlemap2_proxy.php.

  • CVE-2013-7432HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to bypass an intended protection mechanism.

  • CVE-2017-9933HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.

  • CVE-2017-5214HigMay 17, 2017
    risk 0.49cvss 7.5epss 0.01

    The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded files.

  • CVE-2016-9837HigDec 16, 2016
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as…

  • CVE-2008-4122HigDec 19, 2008
    risk 0.49cvss 7.5epss 0.01

    Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

  • CVE-2015-8769HigJan 12, 2016
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-10379HigMay 29, 2017
    risk 0.47cvss 7.2epss 0.02

    The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL injection by remote authenticated administrators via the virtuemart_paymentmethod_id or virtuemart_shipmentmethod_id parameter to administrator/index.php.

  • CVE-2016-1000122HigOct 27, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension

  • CVE-2016-1000120HigOct 27, 2016
    risk 0.47cvss 7.2epss 0.02

    SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

  • CVE-2016-1000119HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

  • CVE-2016-1000118HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS & SQLi in HugeIT slideshow v1.0.4

  • CVE-2016-1000117HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS & SQLi in HugeIT slideshow v1.0.4

  • CVE-2018-25381HigMay 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search…

  • CVE-2020-37226HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2020-37224HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2025-22213HigMar 11, 2025
    risk 0.46cvss epss 0.00

    Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

  • CVE-2025-22207MedFeb 18, 2025
    risk 0.44cvss epss 0.00

    Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler.

  • CVE-2018-6377MedJan 30, 2018
    risk 0.44cvss 6.1epss 0.58

    In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox

  • CVE-2010-0467MedFeb 2, 2010
    risk 0.44cvss 5.8epss 0.43

    Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.

  • CVE-2018-10068MedApr 12, 2018
    risk 0.43cvss 6.1epss 0.04

    The jDownloads extension before 3.2.59 for Joomla! has XSS.

  • CVE-2019-25740MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2…

  • CVE-2018-15881HigAug 29, 2018
    risk 0.42cvss 7.5epss 0.02

    An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.

  • CVE-2018-11321MedMay 22, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

  • CVE-2017-7989MedApr 25, 2017
    risk 0.42cvss 6.5epss 0.01

    In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

  • CVE-2026-48905MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of input filtering leads to an XSS vector in the HTML filter code.

  • CVE-2026-48903MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

  • CVE-2026-30895MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the readmore links for com_content.

  • CVE-2026-30894MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the content history component.

  • CVE-2026-25901MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the multilingual associations component.

  • CVE-2026-25900MedMay 26, 2026
    risk 0.40cvss 6.1epss 0.00

    Lack of output escaping leads to a XSS vector in the feed modules.

  • CVE-2023-54364MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the…

  • CVE-2023-54362MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the…

  • CVE-2023-54361MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter…

  • CVE-2023-54360MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers…

  • CVE-2026-23898HigApr 1, 2026
    risk 0.40cvss 7.2epss 0.00

    Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

  • CVE-2026-21629HigApr 1, 2026
    risk 0.40cvss 7.3epss 0.00

    The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

  • CVE-2018-12711MedJun 26, 2018
    risk 0.40cvss 6.1epss 0.01

    An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or…

  • CVE-2018-6378MedMay 22, 2018
    risk 0.40cvss 6.1epss 0.01

    In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.

  • CVE-2018-6380MedJan 30, 2018
    risk 0.40cvss 6.1epss 0.02

    In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

Page 3 of 22