VYPR

Vendor CVEs

Joomla

All CVEs

1,051 total · sorted by risk
  • CVE-2018-6379MedJan 30, 2018
    risk 0.40cvss 6.1epss 0.02

    In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.

  • CVE-2015-5608MedSep 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.

  • CVE-2013-7433MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla!.

  • CVE-2013-7430MedAug 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the xmlns parameter.

  • CVE-2017-11612MedJul 26, 2017
    risk 0.40cvss 6.1epss 0.01

    In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.

  • CVE-2017-9934MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.02

    Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.

  • CVE-2017-7987MedApr 25, 2017
    risk 0.40cvss 6.1epss 0.01

    In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

  • CVE-2017-7986MedApr 25, 2017
    risk 0.40cvss 6.1epss 0.01

    In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components.

  • CVE-2017-7985MedApr 25, 2017
    risk 0.40cvss 6.1epss 0.01

    In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

  • CVE-2017-7984MedApr 25, 2017
    risk 0.40cvss 6.1epss 0.01

    In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.

  • CVE-2016-1000114MedOct 6, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS in huge IT gallery v1.1.5 for Joomla

  • CVE-2018-11324MedMay 22, 2018
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.

  • CVE-2014-9686MedSep 28, 2017
    risk 0.38cvss 5.9epss 0.02

    The Googlemaps plugin 3.2 and earlier for Joomla! allows remote attackers with control of a sub-domain belonging to a victim domain to cause a denial of service via the 'url' parameter to plugin_googlemap3_kmlprxy.php. NOTE: this vulnerability exists because of an incomplete…

  • CVE-2015-4072MedSep 20, 2017
    risk 0.38cvss 5.4epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via vectors related to name and message.

  • CVE-2015-4071MedAug 18, 2017
    risk 0.38cvss 5.3epss 0.10

    The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attackers to read the support tickets of arbitrary users via obtaining the target ticketId, and navigating to http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}.

  • CVE-2015-3619MedFeb 6, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in the VirtueMart component before 3.0.8 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors involving a "double encode combination of first_name, last_name and company."

  • CVE-2013-7431MedAug 29, 2017
    risk 0.35cvss 5.3epss 0.01

    Full path disclosure in the Googlemaps plugin before 3.1 for Joomla!.

  • CVE-2017-8057MedApr 25, 2017
    risk 0.35cvss 5.3epss 0.01

    In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporting.

  • CVE-2017-7988MedApr 25, 2017
    risk 0.35cvss 5.3epss 0.01

    In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article.

  • CVE-2017-7983MedApr 25, 2017
    risk 0.35cvss 5.3epss 0.01

    In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers.

  • CVE-2005-4650MedDec 31, 2005
    risk 0.35cvss 5.3epss 0.02

    Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots.

  • CVE-2018-25327MedMay 17, 2026
    risk 0.34cvss 5.3epss 0.00

    Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete…

  • CVE-2018-11328MedMay 22, 2018
    risk 0.31cvss 4.7epss 0.01

    An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS…

  • CVE-2016-1000121MedOct 27, 2016
    risk 0.31cvss 4.8epss 0.01

    XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension

  • CVE-2026-48900MedMay 26, 2026
    risk 0.28cvss 4.3epss 0.00

    An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

  • CVE-2026-35220MedMay 26, 2026
    risk 0.28cvss 4.3epss 0.00

    Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

  • CVE-2018-25354MedMay 23, 2026
    risk 0.28cvss 4.3epss 0.00

    Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with…

  • CVE-2018-25337MedMay 17, 2026
    risk 0.28cvss 4.3epss 0.00

    Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /joomoc2/?route=account/edit and to modify…

  • CVE-2026-21632MedApr 1, 2026
    risk 0.28cvss 5.4epss 0.00

    Lack of output escaping for article titles leads to XSS vectors in various locations.

  • CVE-2026-21631MedApr 1, 2026
    risk 0.28cvss 5.4epss 0.00

    Lack of output escaping leads to a XSS vector in the multilingual associations component.

  • CVE-2018-17859MedOct 9, 2018
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms.

  • CVE-2018-17857MedOct 9, 2018
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation.

  • CVE-2018-15880MedAug 29, 2018
    risk 0.28cvss 5.4epss 0.01

    An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack.

  • CVE-2018-11327MedMay 22, 2018
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission.

  • CVE-2017-16633MedNov 10, 2017
    risk 0.28cvss 4.3epss 0.02

    In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

  • CVE-2025-54476MedSep 30, 2025
    risk 0.24cvss epss 0.00

    Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.

  • CVE-2017-14595LowSep 20, 2017
    risk 0.24cvss 3.7epss 0.02

    In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

  • CVE-2023-23752KEVFeb 16, 2023
    risk 0.16cvss epss 1.00

    An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

  • CVE-2015-8562Dec 16, 2015
    risk 0.11cvss epss 0.98

    Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.

  • CVE-2015-7857Oct 29, 2015
    risk 0.11cvss epss 0.94

    SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.

  • CVE-2015-7297Oct 29, 2015
    risk 0.11cvss epss 1.00

    SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.

  • CVE-2015-7858Oct 29, 2015
    risk 0.10cvss epss 0.85

    SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.

  • CVE-2020-23972Aug 27, 2020
    risk 0.09cvss epss 0.31

    In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file…

  • CVE-2019-10945Apr 10, 2019
    risk 0.09cvss epss 0.38

    An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.

  • CVE-2011-4908Feb 12, 2020
    risk 0.08cvss epss 0.56

    TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.

  • CVE-2008-5053Nov 13, 2008
    risk 0.08cvss epss 0.63

    PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.

  • CVE-2014-7228Nov 3, 2014
    risk 0.07cvss epss 0.55

    Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and…

  • CVE-2008-1505Mar 25, 2008
    risk 0.07cvss epss 0.46

    PHP remote file inclusion vulnerability in the SSTREAMTV custompages (com_custompages) 1.1 and earlier component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the cpage parameter to index.php.

  • CVE-2007-2199Apr 24, 2007
    risk 0.07cvss epss 0.47

    PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG…

  • CVE-2011-4906Feb 12, 2020
    risk 0.06cvss epss 0.10

    Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.

Page 4 of 22