Joomla!@* Security Vulnerabilities and Issues — Joomla!@* CVE List

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.01294EPSS

In wild

CVE•added 2016/12/30 7:59 p.m.•515 views

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property.

9.8CVSS9.8AI score0.94352EPSS

In wildWeb

CVE•added 2022/03/30 4:15 p.m.•360 views

CVE-2022-23797

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.

9.8CVSS9.8AI score0.00105EPSS

CVE•added 2023/02/16 5:15 p.m.•350 views

CVE-2023-23752

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

5.3CVSS5.6AI score0.94532EPSS

In wildWeb

CVE•added 2019/05/09 4:29 a.m.•288 views

CVE-2019-11831

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

9.8CVSS9.3AI score0.03267EPSS

CVE•added 2016/12/30 7:59 p.m.•267 views

CVE-2016-10045

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE:...

9.8CVSS10AI score0.94352EPSS

In wildWeb

CVE•added 2022/03/30 4:15 p.m.•249 views

CVE-2022-23793

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.

7.5CVSS7.5AI score0.00049EPSS

CVE•added 2016/12/16 9:59 a.m.•203 views

CVE-2016-9838

An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and ...

7.5CVSS8.4AI score0.02871EPSS

Web

CVE•added 2023/11/29 1:15 p.m.•198 views

CVE-2023-40626

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

7.5CVSS7.4AI score0.00024EPSS

CVE•added 2021/07/07 11:15 a.m.•182 views

CVE-2021-26036

An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.

7.5CVSS7.3AI score0.00009EPSS

In wild

CVE•added 2019/06/11 7:29 p.m.•161 views

CVE-2019-12765

An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

9.8CVSS9.5AI score0.17367EPSS

Web

CVE•added 2025/04/08 5:15 p.m.•149 views

CVE-2025-25226

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question ...

9.8CVSS8AI score0.00004EPSS

Web

CVE•added 2016/11/04 9:59 p.m.•142 views

CVE-2016-8870

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

8.1CVSS8.7AI score0.91971EPSS

Web

CVE•added 2019/12/18 4:15 a.m.•138 views

CVE-2019-19846

In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.

9.8CVSS9.7AI score0.00056EPSS

CVE•added 2016/11/04 9:59 p.m.•136 views

CVE-2016-8869

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

9.8CVSS9.4AI score0.93438EPSS

Web

CVE•added 2020/12/28 8:15 p.m.•128 views

CVE-2020-35613

An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

9.8CVSS9.8AI score0.01169EPSS

CVE•added 2024/08/20 4:15 p.m.•127 views

CVE-2024-27185

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

9.1CVSS6.6AI score0.00007EPSS

CVE•added 2022/03/30 4:15 p.m.•125 views

CVE-2022-23798

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

6.1CVSS6.4AI score0.00033EPSS

CVE•added 2019/09/24 9:15 p.m.•121 views

CVE-2019-16725

In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

6.1CVSS5.9AI score0.04043EPSS

CVE•added 2022/03/30 4:15 p.m.•118 views

CVE-2022-23799

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.

9.8CVSS9.4AI score0.00014EPSS

CVE•added 2019/06/11 7:29 p.m.•113 views

CVE-2019-12764

An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.

6.5CVSS6.6AI score0.00018EPSS

CVE•added 2021/07/07 11:15 a.m.•113 views

CVE-2021-26038

An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already.

7.5CVSS7.4AI score0.0001EPSS

CVE•added 2023/05/30 5:15 p.m.•113 views

CVE-2023-23755

An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.

7.5CVSS7.4AI score0.00004EPSS

CVE•added 2019/06/11 7:29 p.m.•107 views

CVE-2019-12766

An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.

6.1CVSS6AI score0.00065EPSS

CVE•added 2022/03/30 4:15 p.m.•107 views

CVE-2022-23795

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.

9.8CVSS9.4AI score0.0001EPSS

CVE•added 2019/12/18 4:15 a.m.•105 views

CVE-2019-19845

In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2022/03/30 4:15 p.m.•105 views

CVE-2022-23796

An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.

6.1CVSS6.2AI score0.00106EPSS

CVE•added 2022/03/30 4:15 p.m.•105 views

CVE-2022-23801

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.

6.1CVSS6.2AI score0.01156EPSS

CVE•added 2022/03/30 4:15 p.m.•99 views

CVE-2022-23794

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.

5.3CVSS5.6AI score0.00006EPSS

CVE•added 2019/01/16 8:29 a.m.•98 views

CVE-2019-6263

An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.

4.8CVSS5AI score0.00071EPSS

Web

CVE•added 2021/04/14 6:15 p.m.•98 views

CVE-2021-26031

An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2022/03/30 4:15 p.m.•96 views

CVE-2022-23800

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.

6.1CVSS6.4AI score0.01156EPSS

CVE•added 2021/03/04 6:15 p.m.•95 views

CVE-2021-23132

An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads

7.5CVSS7.5AI score0.65284EPSS

Web

CVE•added 2019/04/10 7:29 p.m.•92 views

CVE-2019-10945

An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.

9.8CVSS7.4AI score0.85382EPSS

Web

CVE•added 2023/02/01 10:15 p.m.•91 views

CVE-2023-23750

An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

6.3CVSS6.2AI score0.00005EPSS

CVE•added 2020/12/28 8:15 p.m.•90 views

CVE-2020-35611

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

7.5CVSS7.4AI score0.00012EPSS

CVE•added 2020/12/28 8:15 p.m.•90 views

CVE-2020-35614

An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.

5.3CVSS5.2AI score0.00006EPSS

CVE•added 2020/12/28 8:15 p.m.•89 views

CVE-2020-35616

An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.

7.5CVSS7.5AI score0.0001EPSS

CVE•added 2018/05/22 3:29 p.m.•88 views

CVE-2018-11321

An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

6.5CVSS6.6AI score0.00213EPSS

CVE•added 2018/10/09 9:29 p.m.•88 views

CVE-2018-17856

An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled the ability of Administrator-level users to access com_joomlaupdate and trigger code execution.

7.2CVSS7.3AI score0.06046EPSS

CVE•added 2020/03/16 4:15 p.m.•87 views

CVE-2020-10239

An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

8.8CVSS8.8AI score0.01791EPSS

CVE•added 2020/12/28 8:15 p.m.•87 views

CVE-2020-35610

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.

7.5CVSS7.5AI score0.00008EPSS

CVE•added 2020/01/28 9:15 p.m.•87 views

CVE-2020-8419

An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.

8.8CVSS8.6AI score0.00006EPSS

CVE•added 2020/01/28 9:15 p.m.•87 views

CVE-2020-8421

An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs.

6.1CVSS6.1AI score0.01258EPSS

CVE•added 2021/01/12 9:15 p.m.•87 views

CVE-2021-23125

An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.

6.1CVSS5.9AI score0.07984EPSS

Total number of security vulnerabilities192