CVE-2016-8869 — CVSS 9.8 (critical): The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows…
CVE-2016-10045 — CVSS 9.8 (critical): The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently…
CVE-2022-23799 — CVSS 9.8 (critical): An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with…
CVE-2019-7743 — CVSS 9.8 (critical): An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no…
CVE-2010-1433 — CVSS 9.8 (critical): Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify…
CVE-2025-25226 — CVSS 9.8 (critical): Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the…
CVE-2020-35613 — CVSS 9.8 (critical): An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in…
CVE-2019-19846 — CVSS 9.8 (critical): In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
CVE-2026-48904 — CVSS 9.8 (critical): An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
CVE-2016-9081 — CVSS 9.8 (critical): Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user…
CVE-2019-12765 — CVSS 9.8 (critical): An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
CVE-2019-11831 — CVSS 9.8 (critical): The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory…
CVE-2019-10945 — CVSS 9.8 (critical): An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing…
CVE-2010-1435 — CVSS 9.8 (critical): Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions…
CVE-2018-6376 — CVSS 9.8 (critical): In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor…
CVE-2018-15882 — CVSS 9.8 (critical): An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files…
CVE-2026-48902 — CVSS 9.8 (critical): The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
CVE-2022-23795 — CVSS 9.8 (critical): An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication…
CVE-2018-11325 — CVSS 9.8 (critical): An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form…
CVE-2017-8917 — CVSS 9.8 (critical): SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2017-14596 — CVSS 9.8 (critical): In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.
CVE-2020-10243 — CVSS 9.8 (critical): An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection…
CVE-2022-23797 — CVSS 9.8 (critical): An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could…
CVE-2016-9836 — CVSS 9.8 (critical): The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions…
CVE-2007-4188 — CVSS 9.3 (critical): Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via…
CVE-2021-26040 — CVSS 9.1 (critical): An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file…
CVE-2021-23127 — CVSS 9.1 (critical): An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10…
CVE-2021-23128 — CVSS 9.1 (critical): An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval)…
CVE-2020-8419 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF…
CVE-2020-8420 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF…
CVE-2026-21630 — CVSS 8.8 (high): Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
CVE-2017-11364 — CVSS 8.8 (high): The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain…
CVE-2018-11323 — CVSS 8.8 (high): An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with…
CVE-2018-12712 — CVSS 8.8 (high): An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the…
CVE-2018-17855 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin…
CVE-2018-17858 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.
CVE-2018-8045 — CVSS 8.8 (high): In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the…
CVE-2019-14654 — CVSS 8.8 (high): In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and…
CVE-2019-18650 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
CVE-2020-10239 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for…
CVE-2020-10241 — CVSS 8.8 (high): An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.
CVE-2016-8870 — CVSS 8.1 (high): The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when…
CVE-2020-13763 — CVSS 7.5 (high): In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
CVE-2010-2679 — CVSS 7.5 (high): SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands…
CVE-2014-6632 — CVSS 7.5 (high): Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access…
CVE-2014-7228 — CVSS 7.5 (high): Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for…
CVE-2018-15881 — CVSS 7.5 (high): An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.
CVE-2014-7981 — CVSS 7.5 (high): SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via…
CVE-2018-11322 — CVSS 7.5 (high): An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP…
CVE-2012-2747 — CVSS 7.5 (high): Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to gain privileges via unknown attack vectors related to…
CVE-2020-35610 — CVSS 7.5 (high): An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the…
CVE-2021-26038 — CVSS 7.5 (high): An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for…
CVE-2012-1116 — CVSS 7.5 (high): SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via…
CVE-2014-7984 — CVSS 7.5 (high): Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors…
CVE-2015-4654 — CVSS 7.5 (high): SQL injection vulnerability in the EQ Event Calendar component for Joomla! allows remote attackers to execute arbitrary SQL commands via…
CVE-2017-9933 — CVSS 7.5 (high): Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.
CVE-2013-1453 — CVSS 7.5 (high): plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP…
CVE-2020-35611 — CVSS 7.5 (high): An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output…
CVE-2019-10946 — CVSS 7.5 (high): An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls…
CVE-2012-1598 — CVSS 7.5 (high): Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset…
CVE-2015-7297 — CVSS 7.5 (high): SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors…
CVE-2010-1434 — CVSS 7.5 (high): Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain…
CVE-2006-4470 — CVSS 7.5 (high): Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defined, which allows attackers to have an unknown impact, possibly…
CVE-2021-23132 — CVSS 7.5 (high): An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
CVE-2015-7857 — CVSS 7.5 (high): SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2…
CVE-2020-35612 — CVSS 7.5 (high): An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a…
CVE-2006-4472 — CVSS 7.5 (high): Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow attackers to bypass user authentication via unknown vectors involving…
CVE-2015-7858 — CVSS 7.5 (high): SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors…
CVE-2015-8562 — CVSS 7.5 (high): Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via…
CVE-2023-23755 — CVSS 7.5 (high): An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
CVE-2021-26036 — CVSS 7.5 (high): An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.
CVE-2015-8564 — CVSS 7.5 (high): Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal…
CVE-2015-8565 — CVSS 7.5 (high): Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecified impact…
CVE-2006-4469 — CVSS 7.5 (high): Unspecified vulnerability in PEAR.php in Joomla! before 1.0.11 allows remote attackers to perform "remote execution," related to "Injection…
CVE-2022-23793 — CVSS 7.5 (high): An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write…
CVE-2010-4166 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the…
CVE-2026-40384 — CVSS 7.5 (high): An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
CVE-2019-9713 — CVSS 7.5 (high): An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
CVE-2016-9837 — CVSS 7.5 (high): An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in…
CVE-2020-10238 — CVSS 7.5 (high): An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various…
CVE-2026-48901 — CVSS 7.5 (high): The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
CVE-2016-9838 — CVSS 7.5 (high): An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form…
CVE-2023-40626 — CVSS 7.5 (high): The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible…
CVE-2009-1499 — CVSS 7.5 (high): SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands…
CVE-2010-1432 — CVSS 7.5 (high): Joomla! Core is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may…
CVE-2008-4122 — CVSS 7.5 (high): Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to…
CVE-2008-6852 — CVSS 7.5 (high): SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbitrary SQL…
CVE-2020-35616 — CVSS 7.5 (high): An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL…
CVE-2010-4696 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via the (1)…
CVE-2015-8769 — CVSS 7.3 (high): SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2026-21629 — CVSS 7.3 (high): The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected…
CVE-2018-17856 — CVSS 7.2 (high): An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled…
CVE-2026-23898 — CVSS 7.2 (high): Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
CVE-2006-4468 — CVSS 6.8 (medium): Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via…
CVE-2015-8563 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows…
CVE-2013-5576 — CVSS 6.8 (medium): administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote…
CVE-2015-5397 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the…
CVE-2021-26033 — CVSS 6.5 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
CVE-2021-26034 — CVSS 6.5 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in…
CVE-2019-12764 — CVSS 6.5 (medium): An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
CVE-2017-7989 — CVSS 6.5 (medium): In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they…
CVE-2006-4471 — CVSS 6.5 (medium): The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to upload files outside of the…
CVE-2018-11321 — CVSS 6.5 (medium): An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to…
CVE-2020-35615 — CVSS 6.3 (medium): An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF…
CVE-2020-15695 — CVSS 6.3 (medium): An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF…
CVE-2020-15700 — CVSS 6.3 (medium): An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CSRF…
CVE-2024-21722 — CVSS 6.3 (medium): The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
CVE-2023-23750 — CVSS 6.3 (medium): An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of…
CVE-2017-11612 — CVSS 6.1 (medium): In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.
CVE-2024-21724 — CVSS 6.1 (medium): Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
CVE-2023-23754 — CVSS 6.1 (medium): An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa…
CVE-2022-27914 — CVSS 6.1 (medium): An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS…
CVE-2022-27913 — CVSS 6.1 (medium): An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS…
CVE-2022-23801 — CVSS 6.1 (medium): An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
CVE-2022-23800 — CVSS 6.1 (medium): An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
CVE-2022-23798 — CVSS 6.1 (medium): An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid…
CVE-2022-23796 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
CVE-2017-7984 — CVSS 6.1 (medium): In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.
CVE-2017-7985 — CVSS 6.1 (medium): In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various…
CVE-2017-7986 — CVSS 6.1 (medium): In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various…
CVE-2017-7987 — CVSS 6.1 (medium): In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template…
CVE-2017-9934 — CVSS 6.1 (medium): Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.
CVE-2018-12711 — CVSS 6.1 (medium): An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the…
CVE-2020-24598 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect.
CVE-2021-26032 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading…
CVE-2020-24599 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks.
CVE-2021-26039 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS…
CVE-2021-26030 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default…
CVE-2018-6377 — CVSS 6.1 (medium): In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio…
CVE-2018-6378 — CVSS 6.1 (medium): In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.
CVE-2018-6379 — CVSS 6.1 (medium): In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.
CVE-2018-6380 — CVSS 6.1 (medium): In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
CVE-2019-11358 — CVSS 6.1 (medium): jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of…
CVE-2019-11809 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a…
CVE-2019-12766 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This…
CVE-2019-16725 — CVSS 6.1 (medium): In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
CVE-2020-8421 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs.
CVE-2021-23130 — CVSS 6.1 (medium): An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues.
CVE-2021-23129 — CVSS 6.1 (medium): An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues.
CVE-2019-6261 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability.
CVE-2019-6264 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability.
CVE-2019-7739 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This…
CVE-2019-7740 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an…
CVE-2019-7741 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS.
CVE-2019-7742 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file…
CVE-2021-23125 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause…
CVE-2019-7744 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS…
CVE-2019-9711 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.
CVE-2019-9712 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.
CVE-2019-9714 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS.
CVE-2026-48903 — CVSS 6.1 (medium): Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
CVE-2020-10242 — CVSS 6.1 (medium): An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS…
CVE-2021-23124 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
CVE-2020-13761 — CVSS 6.1 (medium): In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories"…
CVE-2020-13762 — CVSS 6.1 (medium): In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
CVE-2020-15696 — CVSS 6.1 (medium): An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image.
CVE-2021-26035 — CVSS 6.1 (medium): An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS…
CVE-2018-11324 — CVSS 5.9 (medium): An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension…
CVE-2013-3242 — CVSS 5.5 (medium): plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by…