MEDIUM5.3CVE-2023-23752⚠ KEV[20230201] - Core - Improper access check in webservice endpoints >= 4.0.0, < 4.2.8
CRITICAL9.8CVE-2026-48902Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
CRITICAL9.8CVE-2025-25226[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package >= 1.0.0, < 5.0.3
CRITICAL9.8CVE-2022-23797[20220305] - Core - Inadequate filtering on the selected Ids >= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
CRITICAL9.8CVE-2022-23795[20220303] - Core - User row are not bound to a authentication mechanism >= 2.5.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
CRITICAL9.8CVE-2020-35613[20201104] - Core - SQL injection in com_users list view >= 3.0.0, <= 3.9.22
CRITICAL9.8CVE-2020-10243An issue was discovered in Joomla! before 3.9.16. >= 1.7.0, < 3.9.16
CRITICAL9.8CVE-2022-23799[20220307] - Core - Variable Tampering on JInput $_REQUEST data >= 4.0.0, <= 4.1.0
CRITICAL9.1CVE-2024-27185[20240802] - Core - Cache Poisoning in Pagination >= 3.0.0, < 5.1.3
CRITICAL9.1CVE-2021-26040[20210801] - Core - Insufficient access control for com_media deletion endpoint >= 4.0.0, <= 4.0.0
CRITICAL9.1CVE-2021-23128[20210302] - Core - Potential Insecure FOFEncryptRandval >= 3.2.0, < 3.9.25
CRITICAL9.1CVE-2021-23127[20210301] - Core - Insecure randomness within 2FA secret generation >= 3.2.0, < 3.9.25
HIGH8.8CVE-2020-8420An issue was discovered in Joomla! before 3.9.15. >= 3.0.0, < 3.9.15
HIGH8.8CVE-2020-8419An issue was discovered in Joomla! before 3.9.15. >= 3.0.0, < 3.9.15
HIGH8.8CVE-2020-13760In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. >= 3.7.0, < 3.9.19
HIGH8.8CVE-2020-10241An issue was discovered in Joomla! before 3.9.16. >= 3.2.0, < 3.9.16
HIGH8.8CVE-2020-10239An issue was discovered in Joomla! before 3.9.16. >= 3.7.0, < 3.9.16
HIGH7.5CVE-2026-48901Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
HIGH7.5CVE-2024-40749[20250103] - Core - Read ACL violation in multiple core views >= 3.9.0, < 5.2.3
HIGH7.5CVE-2024-40748[20250102] - Core - XSS vector in the id attribute of menu lists >= 3.9.0, < 5.2.3
HIGH7.5CVE-2024-27187[20240804] - Core - Improper ACL for backend profile view >= 4.0.0, < 5.1.3
HIGH7.5CVE-2025-25227[20250402] - Joomla Core - MFA Authentication Bypass >= 4.0.0, < 5.2.6
HIGH7.5CVE-2023-40626[20231101] - Core - Exposure of environment variables >= 1.6.0, < 3.10.14, >= 4.0.0, < 4.4.1 | >= 5.0.0, <= 5.0.0
HIGH7.5CVE-2023-23755[20230502] - Core - Bruteforce prevention within the mfa screen >= 4.2.0, < 4.3.2
HIGH7.5CVE-2021-26038[20210704] - Core - Privilege escalation through com_installer >= 2.5.0, <= 3.9.27
HIGH7.5CVE-2021-26036[20210702] - Core - DoS through usergroup table manipulation >= 2.5.0, <= 3.9.27
HIGH7.5CVE-2021-23132[20210306] - Core - com_media allowed paths that are not intended for image uploads >= 3.0.0, < 3.9.25
HIGH7.5CVE-2021-23131[20210305] - Core - Input validation within the template manager >= 3.2.0, < 3.9.25
HIGH7.5CVE-2020-35616[20201107] - Core - Write ACL violation in multiple core views >= 1.7.0, <= 3.9.22
HIGH7.5CVE-2020-35612[20201103] - Core - Path traversal in mod_random_image >= 2.5.0, <= 3.9.22
HIGH7.5CVE-2020-35611[20201102] - Core - Disclosure of secrets in Global Configuration page >= 2.5.0, <= 3.9.22
HIGH7.5CVE-2020-35610[20201101] - Core - com_finder ignores access levels on autosuggest >= 2.5.0, <= 3.9.22
HIGH7.5CVE-2020-13763In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users. >= 2.5.0, < 3.9.19
HIGH7.5CVE-2020-10238An issue was discovered in Joomla! before 3.9.16. >= 2.5.0, < 3.9.16
HIGH7.5CVE-2022-23793[20220301] - Core - Zip Slip within the Tar extractor >= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM6.5CVE-2024-21726[20240205] - Core - Inadequate content filtering within the filter code >= 3.7.0, < 5.1.0
MEDIUM6.5CVE-2021-26034[20210503] - Core - CSRF in data download endpoints >= 3.0.0, <= 3.9.26
MEDIUM6.5CVE-2021-26033[20210502] - Core - CSRF in AJAX reordering endpoint >= 3.0.0, <= 3.9.26
MEDIUM6.3CVE-2024-21722[20240201] - Core - Insufficient session expiration in MFA management views >= 3.2.0, < 5.0.3
MEDIUM6.3CVE-2023-23750[20230101] - Core - CSRF within post-installation messages >= 4.0.0, <= 4.2.6
MEDIUM6.3CVE-2020-35615[20201106] - Core - CSRF in com_privacy emailexport feature >= 2.5.0, <= 3.9.22
MEDIUM6.3CVE-2020-15700An issue was discovered in Joomla! through 3.9.19. >= 3.7.0, <= 3.9.19
MEDIUM6.3CVE-2020-15695An issue was discovered in Joomla! through 3.9.19. >= 3.9.0, <= 3.9.19
MEDIUM6.1CVE-2024-40747[20250101] - Core - XSS vectors in module chromes >= 4.0.0, < 5.2.3
MEDIUM6.1CVE-2024-40743[20240805] - Core - XSS vectors in Outputfilter::strip* methods >= 3.0.0, < 5.1.3
>= 4.0.0, < 5.1.3
MEDIUM6.1CVE-2024-27184[20240801] - Core - Inadequate validation of internal URLs >= 3.4.6, < 5.1.3
MEDIUM6.1CVE-2024-21725[20240204] - Core - XSS in mail address outputs >= 4.0.0, < 5.0.3
>= 3.0.0, < 5.1.2
MEDIUM6.1CVE-2024-26278[20240705] - Core - XSS in com_fields default field value >= 3.7.0, < 5.1.2
MEDIUM6.1CVE-2024-21731[20240703] - Core - XSS in StringHelper::truncate method >= 3.0.0, < 5.1.2
MEDIUM6.1CVE-2024-21729[20240701] - Core - XSS in accessible media selection field >= 4.0.0, < 5.1.2
MEDIUM6.1CVE-2024-21724[20240203] - Core - XSS in media selection fields >= 1.6.0, < 5.0.3
MEDIUM6.1CVE-2023-23754[20230501] - Core - Open Redirect and XSS within the mfa select >= 4.2.0, < 4.3.2
MEDIUM6.1CVE-2022-27914[20221101] - Core - RXSS through reflection of user input in com_media >= 4.0.0, < 4.2.5
MEDIUM6.1CVE-2022-27913[20221002] - Core - RXSS through reflection of user input in headings >= 4.0.0, <= 4.2.3
MEDIUM6.1CVE-2022-23801[20220309] - Core - XSS attack vector through SVG >= 4.0.0, <= 4.1.0
MEDIUM6.1CVE-2022-23798[20220306] - Core - Inadequate validation of internal URLs >= 2.5.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM6.1CVE-2022-23796[20220304] - Core - Missing input validation within com_fields class inputs >= 3.7.0, <= 3.10.6
>= 3.0.0, <= 3.9.27
>= 3.0.0, <= 3.9.27
MEDIUM6.1CVE-2021-26032[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload >= 3.0.0, <= 3.9.26
MEDIUM6.1CVE-2021-26030[20210401] - Core - Escape xss in logo parameter error pages >= 3.0.0, <= 3.9.25
MEDIUM6.1CVE-2021-23130[20210304] - Core - XSS within the feed parser library >= 2.5.0, < 3.9.25
MEDIUM6.1CVE-2021-23129[20210303] - Core - XSS within alert messages showed to users >= 2.5.0, < 3.9.25
MEDIUM6.1CVE-2021-23125[20210103] - Core - XSS in com_tags image parameters >= 3.1.0, <= 3.9.23
MEDIUM6.1CVE-2021-23124[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute >= 3.9.0, <= 3.9.23
MEDIUM6.1CVE-2020-8421An issue was discovered in Joomla! before 3.9.15. >= 3.9.0, < 3.9.14
MEDIUM6.1CVE-2020-24599An issue was discovered in Joomla! before 3.9.21. >= 3.9.0, < 3.9.21
MEDIUM6.1CVE-2020-24598An issue was discovered in Joomla! before 3.9.21. >= 3.0.0, < 3.9.21
MEDIUM6.1CVE-2020-15696An issue was discovered in Joomla! through 3.9.19. >= 3.0.0, <= 3.9.19
MEDIUM6.1CVE-2020-13762In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS. >= 3.9.0, < 3.9.19
MEDIUM6.1CVE-2020-13761In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modu… >= 3.0.0, < 3.9.19
MEDIUM6.1CVE-2020-10242An issue was discovered in Joomla! before 3.9.16. >= 3.0.0, < 3.9.16
MEDIUM6.1CVE-2022-23800[20220308] - Core - Inadequate content filtering within the filter code >= 4.0.0, <= 4.1.0
MEDIUM5.5CVE-2021-26028[20210308] - Core - Path Traversal within joomla/archive zip class >= 3.0.0, < 3.9.25
MEDIUM5.4CVE-2024-21730[20240702] - Core - Self-XSS in fancyselect list field layout >= 4.0.0, < 5.1.2
MEDIUM5.3CVE-2022-27912[20221001] - Core - Debug Mode leaks full request payloads including passwords >= 4.0.0, <= 4.2.3
MEDIUM5.3CVE-2022-27911[20220801] - Core - Multiple Full Path Disclosures because of missing '_JEXEC or die check' >= 4.2.0, <= 4.2.0
MEDIUM5.3CVE-2021-26037[20210703] - Core - Lack of enforced session termination >= 2.5.0, <= 3.9.27
MEDIUM5.3CVE-2021-26031[20210402] - Core - Inadequate filters on module layout settings >= 3.0.0, <= 3.9.25
MEDIUM5.3CVE-2021-26029[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field >= 1.6.0, < 3.9.25
MEDIUM5.3CVE-2021-26027[20210307] - Core - ACL violation within com_content frontend editing >= 3.0.0, < 3.9.25
MEDIUM5.3CVE-2021-23126[20210301] - Core - Insecure randomness within 2FA secret generation >= 3.2.0, < 3.9.25
MEDIUM5.3CVE-2021-23123[20210101] - Core - com_modules exposes module names >= 3.0.0, <= 3.9.23
MEDIUM5.3CVE-2020-35614[20201105] - Core - User Enumeration in backend login >= 3.9.0, <= 3.9.22
MEDIUM5.3CVE-2020-15699An issue was discovered in Joomla! through 3.9.19. >= 2.5.0, <= 3.9.19
MEDIUM5.3CVE-2020-15698An issue was discovered in Joomla! through 3.9.19. >= 3.0.0, <= 3.9.19
MEDIUM5.3CVE-2020-11891An issue was discovered in Joomla! before 3.9.17. >= 3.8.8, < 3.9.17
MEDIUM5.3CVE-2020-11890An issue was discovered in Joomla! before 3.9.17. >= 2.5.0, < 3.9.17
MEDIUM5.3CVE-2020-11889An issue was discovered in Joomla! before 3.9.17. >= 2.5.0, < 3.9.17
MEDIUM5.3CVE-2020-10240An issue was discovered in Joomla! before 3.9.16. >= 3.0.0, < 3.9.16
MEDIUM5.3CVE-2022-23794[20220302] - Core - Path Disclosure within filesystem error messages >= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM4.3CVE-2024-21723[20240202] - Core - Open redirect in installation application >= 1.5.0, < 5.0.3
MEDIUM4.3CVE-2023-23751[20230102] - Core - Missing ACL checks for com_actionlogs >= 4.0.0, <= 4.2.4
MEDIUM4.3CVE-2020-15697An issue was discovered in Joomla! through 3.9.19. >= 3.0.0, <= 3.9.19
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-40384Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-35223Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-40383Joomla! Core - [20260509] - LFI in HTMLView layout parameter >= 3.2.1, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-35222Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-35221Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-35220Joomla! Core - [20260505] - CSRF in user activation endpoint >= 6.0.0, < 6.1.1
>= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
>= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
>= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
>= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-48905Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code. >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.0
—CVE-2026-48904Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-48903Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code. >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-48900Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler >= 4.1.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-48899Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-48898Joomla! Core - [20260513] - Privilege escalation through com_users batch task >= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—CVE-2026-23899Joomla! Core - [20260306] - Improper access check in webservice endpoints >= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
—CVE-2026-23898Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate >= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
—CVE-2026-21632Joomla! Core - [20260304] - XSS vectors in various article title outputs >= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
—CVE-2026-21631Joomla! Core - [20260303] - XSS vector in com_associations comparison view >= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
—CVE-2026-21630Joomla! Core - [20260302] - SQL injection in com_content articles webservice endpoint >= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
>= 3.0.0, < 5.4.4, >= 6.0.0, < 6.0.4
—CVE-2025-63083Joomla! Core - [20260102] - XSS vector in the pagebreak plugin >= 3.9.0, < 5.4.2, >= 6.0.0, < 6.0.2
—CVE-2025-63082Joomla! Core - [20260101] - Inadequate content filtering for data URLs >= 4.0.0, < 5.4.2, >= 6.0.0, < 6.0.2