Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0847
Vulnerability from certfr_avis - Published: 2026-07-08 - Updated: 2026-07-08
De multiples vulnérabilités ont été découvertes dans Joomla!. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Joomla! versions 6.x ant\u00e9rieures \u00e0 6.1.2",
"product": {
"name": "Joomla!",
"vendor": {
"name": "Joomla!",
"scada": false
}
}
},
{
"description": "Joomla! versions ant\u00e9rieures \u00e0 5.4.7",
"product": {
"name": "Joomla!",
"vendor": {
"name": "Joomla!",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-48957",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48957"
},
{
"name": "CVE-2026-48950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48950"
},
{
"name": "CVE-2026-48953",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48953"
},
{
"name": "CVE-2026-48948",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48948"
},
{
"name": "CVE-2026-48949",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48949"
},
{
"name": "CVE-2026-48956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48956"
},
{
"name": "CVE-2026-48958",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48958"
},
{
"name": "CVE-2026-48951",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48951"
},
{
"name": "CVE-2026-48954",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48954"
},
{
"name": "CVE-2026-48955",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48955"
},
{
"name": "CVE-2026-48947",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48947"
},
{
"name": "CVE-2026-48952",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48952"
}
],
"initial_release_date": "2026-07-08T00:00:00",
"last_revision_date": "2026-07-08T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0847",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-07-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Joomla!. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Joomla!",
"vendor_advisories": [
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1064-20260710",
"url": "https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1063-20260709",
"url": "https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1057-20260703",
"url": "https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1062-20260708",
"url": "https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1066-20260712",
"url": "https://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1058-20260704",
"url": "https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1056-20260702",
"url": "https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1059-20260705",
"url": "https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1065-20260711",
"url": "https://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1055-20260701",
"url": "https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1060-20260706",
"url": "https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html"
},
{
"published_at": "2026-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Joomla! 1061-20260707",
"url": "https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html"
}
]
}
CVE-2026-48947 (GCVE-0-2026-48947)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:32 – Updated: 2026-07-08 09:56
VLAI
EPSS
Title
Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints
Summary
An improper access check allows privileged users to overwrite media files without editing permissions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1055… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.1.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:35:14.984578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:35:22.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.1.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access check allows privileged users to overwrite media files without editing permissions."
}
],
"value": "An improper access check allows privileged users to overwrite media files without editing permissions."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:56:00.315Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48947",
"datePublished": "2026-07-07T17:32:45.116Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:56:00.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48948 (GCVE-0-2026-48948)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:29 – Updated: 2026-07-08 09:52
VLAI
EPSS
Title
Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download
Summary
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1056… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
3.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Jorian Woltjer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:45:28.746420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:48:46.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jorian Woltjer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible."
}
],
"value": "An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:52:52.045Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48948",
"datePublished": "2026-07-07T17:29:47.142Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:52:52.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48949 (GCVE-0-2026-48949)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:29 – Updated: 2026-07-08 09:52
VLAI
EPSS
Title
Joomla! Core - [20260703] - XSS in MFA method management
Summary
Lack of validation leads to an XSS vulnerability in the MFA management views.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1057… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.2.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Jorian Woltjer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:44:10.684311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:44:19.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jorian Woltjer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of validation leads to an XSS vulnerability in the MFA management views."
}
],
"value": "Lack of validation leads to an XSS vulnerability in the MFA management views."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:52:37.880Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260703] - XSS in MFA method management",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48949",
"datePublished": "2026-07-07T17:29:33.872Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:52:37.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48950 (GCVE-0-2026-48950)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:31 – Updated: 2026-07-08 09:54
VLAI
EPSS
Title
Joomla! Core - [20260704] - XSS in com_templates
Summary
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1058… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Jorian Woltjer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:40:50.946478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:40:59.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jorian Woltjer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of escaping leads to an XSS vulnerability in the file management view of com_templates."
}
],
"value": "Lack of escaping leads to an XSS vulnerability in the file management view of com_templates."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:54:59.780Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260704] - XSS in com_templates",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48950",
"datePublished": "2026-07-07T17:31:46.968Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:54:59.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48951 (GCVE-0-2026-48951)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:30 – Updated: 2026-07-08 09:53
VLAI
EPSS
Title
Joomla! Core - [20260705] - XSS in various modalreturn layouts
Summary
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1059… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Jorian Woltjer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:53:39.104248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:53:49.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jorian Woltjer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components."
}
],
"value": "Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:53:34.261Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260705] - XSS in various modalreturn layouts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48951",
"datePublished": "2026-07-07T17:30:24.904Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:53:34.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48952 (GCVE-0-2026-48952)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:33 – Updated: 2026-07-08 09:56
VLAI
EPSS
Title
Joomla! Core - [20260706] - XSS in com_installer
Summary
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1060… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
meifukun
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:33:48.060052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:34:05.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "meifukun"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of escaping leads to an XSS vulnerability in the update list view of com_installer."
}
],
"value": "Lack of escaping leads to an XSS vulnerability in the update list view of com_installer."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:56:50.251Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260706] - XSS in com_installer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48952",
"datePublished": "2026-07-07T17:33:39.504Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:56:50.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48953 (GCVE-0-2026-48953)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:30 – Updated: 2026-07-08 09:53
VLAI
EPSS
Title
Joomla! Core - [20260707] - XSS in the generic image output layout
Summary
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1061… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Pavel Kohout, Aisle Research
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:50:53.114959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:52:58.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pavel Kohout, Aisle Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of escaping leads to an XSS vulnerability in the generic image output layout."
}
],
"value": "Lack of escaping leads to an XSS vulnerability in the generic image output layout."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:53:08.632Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260707] - XSS in the generic image output layout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48953",
"datePublished": "2026-07-07T17:30:00.427Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:53:08.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48954 (GCVE-0-2026-48954)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:29 – Updated: 2026-07-08 09:52
VLAI
EPSS
Title
Joomla! Core - [20260708] - XSS through language overrides
Summary
Improper validation leads to a generic XSS vector in the language override feature.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1062… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
3.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Morris Baumgarten-Egemole
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:43:24.410096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:43:57.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Morris Baumgarten-Egemole"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper validation leads to a generic XSS vector in the language override feature."
}
],
"value": "Improper validation leads to a generic XSS vector in the language override feature."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:52:30.862Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260708] - XSS through language overrides",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48954",
"datePublished": "2026-07-07T17:29:28.797Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:52:30.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48955 (GCVE-0-2026-48955)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:31 – Updated: 2026-07-08 09:54
VLAI
EPSS
Title
Joomla! Core - [20260709] - Incorrect Access Control in com_workflow
Summary
An improper access check allows unauthorized users to access workflow stage and transition information.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1063… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
6.0.0-6.1.1
|
Credits
廖双
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:41:11.630932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:42:15.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u5ed6\u53cc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access check allows unauthorized users to access workflow stage and transition information."
}
],
"value": "An improper access check allows unauthorized users to access workflow stage and transition information."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:54:46.961Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260709] - Incorrect Access Control in com_workflow",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48955",
"datePublished": "2026-07-07T17:31:35.096Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:54:46.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48956 (GCVE-0-2026-48956)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:31 – Updated: 2026-07-08 09:54
VLAI
EPSS
Title
Joomla! Core - [20260710] - Incorrect Access Control in com_modules
Summary
An improper access check allows users to display a list of modules in the frontend.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://developer.joomla.org/security-centre/1064… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Joomla! Project | Joomla! CMS |
Affected:
4.0.0-5.4.6
Affected: 6.0.0-6.1.1 |
Credits
Warisjeet Singh (sin99xx)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:38:53.208864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:39:02.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-5.4.6"
},
{
"status": "affected",
"version": "6.0.0-6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Warisjeet Singh (sin99xx)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access check allows users to display a list of modules in the frontend."
}
],
"value": "An improper access check allows users to display a list of modules in the frontend."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T09:54:45.131Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Joomla! Core - [20260710] - Incorrect Access Control in com_modules",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48956",
"datePublished": "2026-07-07T17:31:34.152Z",
"dateReserved": "2026-05-26T16:47:13.550Z",
"dateUpdated": "2026-07-08T09:54:45.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…