Joomla Joomla\!
390 CVEs affecting Joomla Joomla\!. Latest disclosed: 2026-05-26. Critical: 15, High: 10.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-48904 | Critical | 9.8 | 2026-05-26 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. |
CVE-2026-48902 | Critical | 9.8 | 2026-05-26 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
CVE-2026-48899 | Critical | 9.8 | 2026-05-26 | An improper access check allows privilege escalation through the com_users batch task. |
CVE-2026-48898 | Critical | 9.8 | 2026-05-26 | An improper access check allows privilege escalation through the com_users batch task. |
CVE-2026-40383 | Critical | 9.8 | 2026-05-26 | An improper validation of user-supplied input leads to a local file inclusion vulnerability. |
CVE-2026-35223 | Critical | 9.8 | 2026-05-26 | An improper access check allows unauthorized access to com_config webservice endpoints. |
CVE-2026-35222 | Critical | 9.8 | 2026-05-26 | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. |
CVE-2026-35221 | Critical | 9.8 | 2026-05-26 | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. |
CVE-2017-16634 | Critical | 9.8 | 2017-11-10 | In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method. |
CVE-2017-14596 | Critical | 9.8 | 2017-09-20 | In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. |
CVE-2017-8917 | Critical | 9.8 | 2017-05-17 | SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. |
CVE-2016-9081 | Critical | 9.8 | 2017-01-23 | Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via… |
CVE-2016-10045 | Critical | 9.8 | 2016-12-30 | The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary co… |
CVE-2016-9836 | Critical | 9.8 | 2016-12-05 | The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded… |
CVE-2016-8869 | Critical | 9.8 | 2016-11-04 | The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain… |
CVE-2017-11364 | High | 8.8 | 2017-08-02 | The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the targ… |
CVE-2016-8870 | High | 8.1 | 2016-11-04 | The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disa… |
CVE-2026-48901 | High | 7.5 | 2026-05-26 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. |
CVE-2026-48897 | High | 7.5 | 2026-05-26 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. |
CVE-2026-48896 | High | 7.5 | 2026-05-26 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. |