Joomla! Security Vulnerabilities and Issues — Joomla! CVE List

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.02394EPSS

CVE•added 2016/12/30 7:59 p.m.•425 views

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property.

9.8CVSS9.8AI score0.94448EPSS

CVE•added 2022/03/30 4:15 p.m.•354 views

CVE-2022-23797

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.

9.8CVSS9.8AI score0.00105EPSS

CVE•added 2023/02/16 5:15 p.m.•315 views

CVE-2023-23752

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

5.3CVSS5.6AI score0.94532EPSS

CVE•added 2019/05/09 4:29 a.m.•280 views

CVE-2019-11831

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

9.8CVSS9.3AI score0.00178EPSS

CVE•added 2017/05/17 11:29 p.m.•262 views

CVE-2017-8917

SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

9.8CVSS9.7AI score0.94285EPSS

CVE•added 2022/03/30 4:15 p.m.•243 views

CVE-2022-23793

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.

7.5CVSS7.5AI score0.00049EPSS

CVE•added 2016/12/30 7:59 p.m.•230 views

CVE-2016-10045

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE:...

9.8CVSS10AI score0.94448EPSS

CVE•added 2014/10/08 7:55 p.m.•207 views

CVE-2014-6632

Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.

7.5CVSS6.7AI score0.00071EPSS

CVE•added 2016/12/16 9:59 a.m.•196 views

CVE-2016-9838

An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and ...

7.5CVSS8.4AI score0.02871EPSS

CVE•added 2015/12/16 9:59 p.m.•188 views

CVE-2015-8562

Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.

7.5CVSS8AI score0.93238EPSS

CVE•added 2023/11/29 1:15 p.m.•186 views

CVE-2023-40626

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

7.5CVSS7.4AI score0.00024EPSS

CVE•added 2019/06/11 7:29 p.m.•155 views

CVE-2019-12765

An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

9.8CVSS9.5AI score0.02036EPSS

CVE•added 2021/07/07 11:15 a.m.•148 views

CVE-2021-26036

An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.

7.5CVSS7.3AI score0.00009EPSS

CVE•added 2025/04/08 5:15 p.m.•141 views

CVE-2025-25226

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question ...

9.8CVSS8AI score0.00003EPSS

CVE•added 2016/11/04 9:59 p.m.•135 views

CVE-2016-8869

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

9.8CVSS9.4AI score0.93416EPSS

CVE•added 2016/11/04 9:59 p.m.•135 views

CVE-2016-8870

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

8.1CVSS8.7AI score0.91921EPSS

CVE•added 2019/12/18 4:15 a.m.•131 views

CVE-2019-19846

In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.

9.8CVSS9.7AI score0.00056EPSS

CVE•added 2015/09/18 4:59 p.m.•130 views

CVE-2015-6939

Cross-site scripting (XSS) vulnerability in the login module in Joomla! 3.4.x before 3.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.6AI score0.0008EPSS

CVE•added 2020/12/28 8:15 p.m.•123 views

CVE-2020-35613

An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

9.8CVSS9.8AI score0.01169EPSS

CVE•added 2024/08/20 4:15 p.m.•121 views

CVE-2024-27185

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

9.1CVSS6.6AI score0.00007EPSS

CVE•added 2022/03/30 4:15 p.m.•119 views

CVE-2022-23798

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

6.1CVSS6.4AI score0.00033EPSS

CVE•added 2019/09/24 9:15 p.m.•115 views

CVE-2019-16725

In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

6.1CVSS5.9AI score0.04043EPSS

CVE•added 2019/06/11 7:29 p.m.•113 views

CVE-2019-12764

An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.

6.5CVSS6.6AI score0.00007EPSS

CVE•added 2023/05/30 5:15 p.m.•113 views

CVE-2023-23755

An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.

7.5CVSS7.4AI score0.00004EPSS

CVE•added 2022/03/30 4:15 p.m.•112 views

CVE-2022-23799

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.

9.8CVSS9.4AI score0.00014EPSS

CVE•added 2021/07/07 11:15 a.m.•108 views

CVE-2021-26038

An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already.

7.5CVSS7.4AI score0.0001EPSS

CVE•added 2019/06/11 7:29 p.m.•107 views

CVE-2019-12766

An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.

6.1CVSS6AI score0.00065EPSS

CVE•added 2022/03/30 4:15 p.m.•107 views

CVE-2022-23795

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.

9.8CVSS9.4AI score0.0001EPSS

CVE•added 2022/03/30 4:15 p.m.•105 views

CVE-2022-23796

An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.

6.1CVSS6.2AI score0.00106EPSS

CVE•added 2022/03/30 4:15 p.m.•105 views

CVE-2022-23801

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.

6.1CVSS6.2AI score0.01156EPSS

CVE•added 2022/08/31 10:15 a.m.•105 views

CVE-2022-27911

An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.

5.3CVSS5.2AI score0.00008EPSS

CVE•added 2019/12/18 4:15 a.m.•99 views

CVE-2019-19845

In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2017/09/20 6:29 p.m.•93 views

CVE-2017-14596

In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.

9.8CVSS9.2AI score0.03976EPSS

CVE•added 2021/04/14 6:15 p.m.•92 views

CVE-2021-26031

An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2022/03/30 4:15 p.m.•92 views

CVE-2022-23794

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.

5.3CVSS5.6AI score0.00006EPSS

CVE•added 2019/04/10 7:29 p.m.•91 views

CVE-2019-10945

An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.

9.8CVSS7.4AI score0.84109EPSS

CVE•added 2019/01/16 8:29 a.m.•91 views

CVE-2019-6263

An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.

4.8CVSS5AI score0.00074EPSS

CVE•added 2022/03/30 4:15 p.m.•90 views

CVE-2022-23800

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.

6.1CVSS6.4AI score0.01156EPSS

CVE•added 2021/03/04 6:15 p.m.•88 views

CVE-2021-23132

An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads

7.5CVSS7.5AI score0.65284EPSS

CVE•added 2018/05/22 3:29 p.m.•86 views

CVE-2018-11321

An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

6.5CVSS6.6AI score0.00223EPSS

CVE•added 2023/02/01 10:15 p.m.•86 views

CVE-2023-23750

An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

6.3CVSS6.2AI score0.00005EPSS

CVE•added 2020/12/28 8:15 p.m.•85 views

CVE-2020-35611

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

7.5CVSS7.4AI score0.00012EPSS

CVE•added 2019/08/05 1:15 a.m.•84 views

CVE-2019-14654

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.

8.8CVSS8.8AI score0.00046EPSS

CVE•added 2020/12/28 8:15 p.m.•84 views

CVE-2020-35614

An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.

5.3CVSS5.2AI score0.00007EPSS

Total number of security vulnerabilities274