MEDIUM5.3CVE-2023-23752⚠ KEV[20230201] - Core - Improper access check in webservice endpoints >= 4.0.0, < 4.2.8
CRITICAL9.8CVE-2026-48902Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links >= 3.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
CRITICAL9.8[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package
>= 1.0.0, < 5.0.3
CRITICAL9.8[20220305] - Core - Inadequate filtering on the selected Ids
>= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
CRITICAL9.8[20220303] - Core - User row are not bound to a authentication mechanism
>= 2.5.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
CRITICAL9.8[20201104] - Core - SQL injection in com_users list view
>= 3.0.0, <= 3.9.22
CRITICAL9.8An issue was discovered in Joomla! before 3.9.16.
>= 1.7.0, < 3.9.16
CRITICAL9.8[20220307] - Core - Variable Tampering on JInput $_REQUEST data
>= 4.0.0, <= 4.1.0
CRITICAL9.1[20240802] - Core - Cache Poisoning in Pagination
>= 3.0.0, < 5.1.3
CRITICAL9.1[20210801] - Core - Insufficient access control for com_media deletion endpoint
>= 4.0.0, <= 4.0.0
CRITICAL9.1[20210302] - Core - Potential Insecure FOFEncryptRandval
>= 3.2.0, < 3.9.25
CRITICAL9.1[20210301] - Core - Insecure randomness within 2FA secret generation
>= 3.2.0, < 3.9.25
HIGH8.8An issue was discovered in Joomla! before 3.9.15.
>= 3.0.0, < 3.9.15
HIGH8.8An issue was discovered in Joomla! before 3.9.15.
>= 3.0.0, < 3.9.15
HIGH8.8In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
>= 3.7.0, < 3.9.19
HIGH8.8An issue was discovered in Joomla! before 3.9.16.
>= 3.2.0, < 3.9.16
HIGH8.8An issue was discovered in Joomla! before 3.9.16.
>= 3.7.0, < 3.9.16
HIGH7.5Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
HIGH7.5[20250103] - Core - Read ACL violation in multiple core views
>= 3.9.0, < 5.2.3
HIGH7.5[20250102] - Core - XSS vector in the id attribute of menu lists
>= 3.9.0, < 5.2.3
HIGH7.5[20240804] - Core - Improper ACL for backend profile view
>= 4.0.0, < 5.1.3
HIGH7.5[20250402] - Joomla Core - MFA Authentication Bypass
>= 4.0.0, < 5.2.6
HIGH7.5[20231101] - Core - Exposure of environment variables
>= 1.6.0, < 3.10.14, >= 4.0.0, < 4.4.1 | >= 5.0.0, <= 5.0.0
HIGH7.5[20230502] - Core - Bruteforce prevention within the mfa screen
>= 4.2.0, < 4.3.2
HIGH7.5[20210704] - Core - Privilege escalation through com_installer
>= 2.5.0, <= 3.9.27
HIGH7.5[20210702] - Core - DoS through usergroup table manipulation
>= 2.5.0, <= 3.9.27
HIGH7.5[20210306] - Core - com_media allowed paths that are not intended for image uploads
>= 3.0.0, < 3.9.25
HIGH7.5[20210305] - Core - Input validation within the template manager
>= 3.2.0, < 3.9.25
HIGH7.5[20201107] - Core - Write ACL violation in multiple core views
>= 1.7.0, <= 3.9.22
HIGH7.5[20201103] - Core - Path traversal in mod_random_image
>= 2.5.0, <= 3.9.22
HIGH7.5[20201102] - Core - Disclosure of secrets in Global Configuration page
>= 2.5.0, <= 3.9.22
HIGH7.5[20201101] - Core - com_finder ignores access levels on autosuggest
>= 2.5.0, <= 3.9.22
HIGH7.5In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
>= 2.5.0, < 3.9.19
HIGH7.5An issue was discovered in Joomla! before 3.9.16.
>= 2.5.0, < 3.9.16
HIGH7.5[20220301] - Core - Zip Slip within the Tar extractor
>= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM6.5[20240205] - Core - Inadequate content filtering within the filter code
>= 3.7.0, < 5.1.0
MEDIUM6.5[20210503] - Core - CSRF in data download endpoints
>= 3.0.0, <= 3.9.26
MEDIUM6.5[20210502] - Core - CSRF in AJAX reordering endpoint
>= 3.0.0, <= 3.9.26
MEDIUM6.3[20240201] - Core - Insufficient session expiration in MFA management views
>= 3.2.0, < 5.0.3
MEDIUM6.3[20230101] - Core - CSRF within post-installation messages
>= 4.0.0, <= 4.2.6
MEDIUM6.3[20201106] - Core - CSRF in com_privacy emailexport feature
>= 2.5.0, <= 3.9.22
MEDIUM6.3An issue was discovered in Joomla! through 3.9.19.
>= 3.7.0, <= 3.9.19
MEDIUM6.3An issue was discovered in Joomla! through 3.9.19.
>= 3.9.0, <= 3.9.19
MEDIUM6.1[20250101] - Core - XSS vectors in module chromes
>= 4.0.0, < 5.2.3
MEDIUM6.1[20240805] - Core - XSS vectors in Outputfilter::strip* methods
>= 3.0.0, < 5.1.3
MEDIUM6.1[20240803] - Core - XSS in HTML Mail Templates
>= 4.0.0, < 5.1.3
MEDIUM6.1[20240801] - Core - Inadequate validation of internal URLs
>= 3.4.6, < 5.1.3
MEDIUM6.1[20240204] - Core - XSS in mail address outputs
>= 4.0.0, < 5.0.3
MEDIUM6.1[20240704] - Core - XSS in Wrapper extensions
>= 3.0.0, < 5.1.2
MEDIUM6.1[20240705] - Core - XSS in com_fields default field value
>= 3.7.0, < 5.1.2
MEDIUM6.1[20240703] - Core - XSS in StringHelper::truncate method
>= 3.0.0, < 5.1.2
MEDIUM6.1[20240701] - Core - XSS in accessible media selection field
>= 4.0.0, < 5.1.2
MEDIUM6.1[20240203] - Core - XSS in media selection fields
>= 1.6.0, < 5.0.3
MEDIUM6.1[20230501] - Core - Open Redirect and XSS within the mfa select
>= 4.2.0, < 4.3.2
MEDIUM6.1[20221101] - Core - RXSS through reflection of user input in com_media
>= 4.0.0, < 4.2.5
MEDIUM6.1[20221002] - Core - RXSS through reflection of user input in headings
>= 4.0.0, <= 4.2.3
MEDIUM6.1[20220309] - Core - XSS attack vector through SVG
>= 4.0.0, <= 4.1.0
MEDIUM6.1[20220306] - Core - Inadequate validation of internal URLs
>= 2.5.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM6.1[20220304] - Core - Missing input validation within com_fields class inputs
>= 3.7.0, <= 3.10.6
MEDIUM6.1[20210705] - Core - XSS in com_media imagelist
>= 3.0.0, <= 3.9.27
MEDIUM6.1[20210701] - Core - XSS in JForm Rules field
>= 3.0.0, <= 3.9.27
MEDIUM6.1[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload
>= 3.0.0, <= 3.9.26
MEDIUM6.1[20210401] - Core - Escape xss in logo parameter error pages
>= 3.0.0, <= 3.9.25
MEDIUM6.1[20210304] - Core - XSS within the feed parser library
>= 2.5.0, < 3.9.25
MEDIUM6.1[20210303] - Core - XSS within alert messages showed to users
>= 2.5.0, < 3.9.25
MEDIUM6.1[20210103] - Core - XSS in com_tags image parameters
>= 3.1.0, <= 3.9.23
MEDIUM6.1[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute
>= 3.9.0, <= 3.9.23
MEDIUM6.1An issue was discovered in Joomla! before 3.9.15.
>= 3.9.0, < 3.9.14
MEDIUM6.1An issue was discovered in Joomla! before 3.9.21.
>= 3.9.0, < 3.9.21
MEDIUM6.1An issue was discovered in Joomla! before 3.9.21.
>= 3.0.0, < 3.9.21
MEDIUM6.1An issue was discovered in Joomla! through 3.9.19.
>= 3.0.0, <= 3.9.19
MEDIUM6.1In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
>= 3.9.0, < 3.9.19
MEDIUM6.1In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modu…
>= 3.0.0, < 3.9.19
MEDIUM6.1An issue was discovered in Joomla! before 3.9.16.
>= 3.0.0, < 3.9.16
MEDIUM6.1[20220308] - Core - Inadequate content filtering within the filter code
>= 4.0.0, <= 4.1.0
MEDIUM5.5[20210308] - Core - Path Traversal within joomla/archive zip class
>= 3.0.0, < 3.9.25
MEDIUM5.4[20240702] - Core - Self-XSS in fancyselect list field layout
>= 4.0.0, < 5.1.2
MEDIUM5.3[20221001] - Core - Debug Mode leaks full request payloads including passwords
>= 4.0.0, <= 4.2.3
MEDIUM5.3[20220801] - Core - Multiple Full Path Disclosures because of missing '_JEXEC or die check'
>= 4.2.0, <= 4.2.0
MEDIUM5.3[20210703] - Core - Lack of enforced session termination
>= 2.5.0, <= 3.9.27
MEDIUM5.3[20210402] - Core - Inadequate filters on module layout settings
>= 3.0.0, <= 3.9.25
MEDIUM5.3[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field
>= 1.6.0, < 3.9.25
MEDIUM5.3[20210307] - Core - ACL violation within com_content frontend editing
>= 3.0.0, < 3.9.25
MEDIUM5.3[20210301] - Core - Insecure randomness within 2FA secret generation
>= 3.2.0, < 3.9.25
MEDIUM5.3[20210101] - Core - com_modules exposes module names
>= 3.0.0, <= 3.9.23
MEDIUM5.3[20201105] - Core - User Enumeration in backend login
>= 3.9.0, <= 3.9.22
MEDIUM5.3An issue was discovered in Joomla! through 3.9.19.
>= 2.5.0, <= 3.9.19
MEDIUM5.3An issue was discovered in Joomla! through 3.9.19.
>= 3.0.0, <= 3.9.19
MEDIUM5.3An issue was discovered in Joomla! before 3.9.17.
>= 3.8.8, < 3.9.17
MEDIUM5.3An issue was discovered in Joomla! before 3.9.17.
>= 2.5.0, < 3.9.17
MEDIUM5.3An issue was discovered in Joomla! before 3.9.17.
>= 2.5.0, < 3.9.17
MEDIUM5.3An issue was discovered in Joomla! before 3.9.16.
>= 3.0.0, < 3.9.16
MEDIUM5.3[20220302] - Core - Path Disclosure within filesystem error messages
>= 3.0.0, <= 3.10.6, >= 4.0.0, <= 4.1.0
MEDIUM4.3[20240202] - Core - Open redirect in installation application
>= 1.5.0, < 5.0.3
MEDIUM4.3[20230102] - Core - Missing ACL checks for com_actionlogs
>= 4.0.0, <= 4.2.4
MEDIUM4.3An issue was discovered in Joomla! through 3.9.19.
>= 3.0.0, <= 3.9.19
—Joomla! Core - [20260512] - MFA Authentication Bypass
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—Joomla! Core - [20260511] - MFA Authentication Bypass
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1
—Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints
>= 4.0.0, < 5.4.6, >= 6.0.0, < 6.1.1