Home/Product/joomla joomla\!
Product

joomla joomla\!

382 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-23899
>= 3.0.0 and < 5.4.4
An improper access check allows unauthorized access to webservice endpoints.
8.8HIGH
 CVE-2026-23898
>= 3.0.0 and < 5.4.4
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
7.2HIGH
 CVE-2026-21632
>= 3.0.0 and < 5.4.4
Lack of output escaping for article titles leads to XSS vectors in various locations.
5.4MEDIUM
 CVE-2026-21631
>= 3.0.0 and < 5.4.4
Lack of output escaping leads to a XSS vector in the multilingual associations component.
5.4MEDIUM
 CVE-2026-21630
>= 3.0.0 and < 5.4.4
Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
8.8HIGH
 CVE-2026-21629
>= 3.0.0 and < 5.4.4
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially un
7.3HIGH
 CVE-2025-63083
>= 3.9.0 and < 5.4.2
Lack of output escaping leads to a XSS vector in the pagebreak plugin.
6.1MEDIUM
 CVE-2025-63082
>= 4.0.0 and < 5.4.2
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.
6.1MEDIUM
 CVE-2025-25227
>= 4.0.0 and < 4.4.13
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
7.5HIGH
 CVE-2025-25226
>= 1.0.0 and < 2.2.0
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please
9.8CRITICAL
 CVE-2024-40749
>= 4.0.0 and < 4.4.10
Improper Access Controls allows access to protected views.
7.5HIGH
 CVE-2024-40748
>= 4.0.0 and < 4.4.10
Lack of output escaping in the id attribute of menu lists.
7.5HIGH
 CVE-2024-40747
>= 4.0.0 and < 4.4.10
Various module chromes didn't properly process inputs, leading to XSS vectors.
6.1MEDIUM
 CVE-2024-40743
>= 4.0.0 and < 4.4.6
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
6.1MEDIUM
 CVE-2024-27187
>= 4.0.0 and < 4.4.7
Improper Access Controls allows backend users to overwrite their username when disallowed.
7.5HIGH
 CVE-2024-27186
>= 4.0.0 and < 4.4.7
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
6.1MEDIUM
 CVE-2024-27185
>= 4.0.0 and < 4.4.7
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
9.1CRITICAL
 CVE-2024-27184
>= 4.0.0 and < 4.4.7
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
6.1MEDIUM
 CVE-2024-26279
>= 3.0.0 and < 3.10.16
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
6.1MEDIUM
 CVE-2024-26278
>= 3.7.0 and < 3.10.16
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
6.1MEDIUM
 CVE-2024-21731
>= 3.0.0 and <= 3.10.15
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
6.1MEDIUM
 CVE-2024-21730
>= 4.0.0 and < 4.4.6
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
5.4MEDIUM
 CVE-2024-21729
>= 4.0.0 and < 4.4.6
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
6.1MEDIUM
 CVE-2024-21726
>= 3.7.0 and <= 3.10.15
Inadequate content filtering leads to XSS vulnerabilities in various components.
6.5MEDIUM
 CVE-2024-21725
>= 4.0.0 and < 4.4.3
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
6.1MEDIUM
 CVE-2024-21724
>= 1.6.0 and < 3.10.15
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
6.1MEDIUM
 CVE-2024-21723
>= 1.5.0 and < 3.10.15
Inadequate parsing of URLs could result into an open redirect.
4.3MEDIUM
 CVE-2024-21722
>= 3.2.0 and < 3.10.15
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
6.3MEDIUM
 CVE-2023-40626
>= 1.6.0 and < 3.10.14
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensib
7.5HIGH
 CVE-2023-23755
>= 4.2.0 and < 4.3.2
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
7.5HIGH
 CVE-2023-23754
>= 4.2.0 and < 4.3.2
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the
6.1MEDIUM
 CVE-2023-23752
>= 4.0.0 and < 4.2.8
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoint
5.3MEDIUM
 CVE-2023-23751
>= 4.0.0 and <= 4.2.4
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
4.3MEDIUM
 CVE-2023-23750
>= 4.0.0 and <= 4.2.6
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-
6.3MEDIUM
 CVE-2022-27914
>= 4.0.0 and < 4.2.5
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflecte
6.1MEDIUM
 CVE-2022-27913
>= 4.0.0 and <= 4.2.3
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflecte
6.1MEDIUM
 CVE-2022-27912
>= 4.0.0 and <= 4.2.3
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
5.3MEDIUM
 CVE-2022-27911
all versions
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PS
5.3MEDIUM
 CVE-2022-23801
>= 4.0.0 and <= 4.1.0
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
6.1MEDIUM
 CVE-2022-23800
>= 4.0.0 and <= 4.1.0
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various compo
6.1MEDIUM
 CVE-2022-23799
>= 4.0.0 and <= 4.1.0
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags w
9.8CRITICAL
 CVE-2022-23798
>= 2.5.0 and <= 3.10.6
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an
6.1MEDIUM
 CVE-2022-23797
>= 3.0.0 and <= 3.10.6
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an requ
9.8CRITICAL
 CVE-2022-23796
>= 3.7.0 and <= 3.10.6
An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
6.1MEDIUM
 CVE-2022-23795
>= 2.5.0 and <= 3.10.6
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authenticati
9.8CRITICAL
 CVE-2022-23794
>= 3.0.0 and <= 3.10.6
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes th
5.3MEDIUM
 CVE-2022-23793
>= 3.0.0 and <= 3.10.6
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could
7.5HIGH
 CVE-2021-26040
all versions
An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a fil
9.1CRITICAL
 CVE-2021-26039
>= 3.0.0 and <= 3.9.27
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vul
6.1MEDIUM
 CVE-2021-26038
>= 2.5.0 and <= 3.9.27
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks fo
7.5HIGH
 CVE-2021-26037
>= 2.5.0 and <= 3.9.27
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user
5.3MEDIUM
 CVE-2021-26036
>= 2.5.0 and <= 3.9.27
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.
7.5HIGH
 CVE-2021-26035
>= 3.0.0 and <= 3.9.27
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vu
6.1MEDIUM
 CVE-2010-1435
>= 1.5.0 and <= 1.5.15
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricte
9.8CRITICAL
 CVE-2010-1434
>= 1.5.0 and <= 1.5.15
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and
7.5HIGH
 CVE-2010-1433
>= 1.5.0 and <= 1.5.15
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly veri
9.8CRITICAL
 CVE-2010-1432
>= 1.5.0 and <= 1.5.15
Joomla! Core is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information
7.5HIGH
 CVE-2021-26034
>= 3.0.0 and <= 3.9.26
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoi
6.5MEDIUM
 CVE-2021-26033
>= 3.0.0 and <= 3.9.26
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering
6.5MEDIUM
 CVE-2021-26032
>= 3.0.0 and <= 3.9.26
An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload,
6.1MEDIUM
 CVE-2021-26031
>= 3.0.0 and <= 3.9.25
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
5.3MEDIUM
 CVE-2021-26030
>= 3.0.0 and <= 3.9.25
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the d
6.1MEDIUM
 CVE-2021-26029
>= 1.6.0 and < 3.9.25
An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author
5.3MEDIUM
 CVE-2021-26028
>= 3.0.0 and < 3.9.25
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of
5.5MEDIUM
 CVE-2021-26027
>= 3.0.0 and < 3.9.25
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for
5.3MEDIUM
 CVE-2021-23132
>= 3.0.0 and < 3.9.25
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
7.5HIGH
 CVE-2021-23131
>= 3.2.0 and < 3.9.25
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager.
7.5HIGH
 CVE-2021-23130
>= 2.5.0 and < 3.9.25
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues.
6.1MEDIUM
 CVE-2021-23129
>= 2.5.0 and < 3.9.25
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issu
6.1MEDIUM
 CVE-2021-23128
>= 3.2.0 and < 3.9.25
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncrypt
9.1CRITICAL
 CVE-2021-23127
>= 3.2.0 and < 3.9.25
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 o
9.1CRITICAL
 CVE-2021-23126
>= 3.2.0 and < 3.9.25
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating th
5.3MEDIUM
 CVE-2021-23125
>= 3.1.0 and <= 3.9.23
An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags vie
6.1MEDIUM
 CVE-2021-23124
>= 3.9.0 and <= 3.9.23
An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS a
6.1MEDIUM
 CVE-2021-23123
>= 3.0.0 and <= 3.9.23
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak
5.3MEDIUM
 CVE-2020-35616
>= 1.7.0 and <= 3.9.22
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL
7.5HIGH
 CVE-2020-35615
>= 2.5.0 and <= 3.9.22
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a
6.3MEDIUM
 CVE-2020-35614
>= 3.9.0 and <= 3.9.22
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vect
5.3MEDIUM
 CVE-2020-35613
>= 3.0.0 and <= 3.9.22
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerab
9.8CRITICAL
 CVE-2020-35612
>= 2.5.0 and <= 3.9.22
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading
7.5HIGH
 CVE-2020-35611
>= 2.5.0 and <= 3.9.22
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML outp
7.5HIGH
 CVE-2020-35610
>= 2.5.0 and <= 3.9.22
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level
7.5HIGH
 CVE-2020-24599
>= 3.9.0 and < 3.9.21
An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks.
6.1MEDIUM
 CVE-2020-24598
>= 3.0.0 and < 3.9.21
An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open red
6.1MEDIUM
 CVE-2020-15700
>= 3.7.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CS
6.3MEDIUM
 CVE-2020-15699
>= 2.5.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken
5.3MEDIUM
 CVE-2020-15698
>= 3.0.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or pro
5.3MEDIUM
 CVE-2020-15697
>= 3.0.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. Internal read-only fields in the User table class could be modified by users.
4.3MEDIUM
 CVE-2020-15696
>= 3.0.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image.
6.1MEDIUM
 CVE-2020-15695
>= 3.9.0 and <= 3.9.19
An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSR
6.3MEDIUM
 CVE-2020-13763
>= 2.5.1 and < 3.9.19
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
7.5HIGH
 CVE-2020-13762
>= 3.9.0 and < 3.9.19
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
6.1MEDIUM
 CVE-2020-13761
>= 3.0.1 and < 3.9.19
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categor
6.1MEDIUM
 CVE-2020-13760
>= 3.7.1 and < 3.9.19
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
8.8HIGH
 CVE-2020-11891
>= 3.8.8 and < 3.9.17
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthor
5.3MEDIUM
 CVE-2020-11890
>= 2.5.0 and < 3.9.17
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken A
5.3MEDIUM
 CVE-2020-11889
>= 2.5.0 and < 3.9.17
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthor
5.3MEDIUM
 CVE-2020-10243
>= 1.7.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injecti
9.8CRITICAL
 CVE-2020-10242
>= 3.0.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow
6.1MEDIUM
 CVE-2020-10241
>= 3.2.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.
8.8HIGH
 CVE-2020-10240
>= 3.0.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with d
5.3MEDIUM
 CVE-2020-10239
>= 3.7.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for no
8.8HIGH
 CVE-2020-10238
>= 2.5.0 and < 3.9.16
An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to variou
7.5HIGH
 CVE-2011-1151
all versions
Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.
9.1CRITICAL
 CVE-2011-4912
>= 1.5.0 and <= 1.5.13
Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.
5.3MEDIUM
 CVE-2011-4937
< 1.7.2
Joomla! 1.7.1 has core information disclosure due to inadequate error checking.
7.5HIGH
 CVE-2011-3629
< 1.7.2
Joomla! core 1.7.1 allows information disclosure due to weak encryption
7.5HIGH
 CVE-2020-8421
>= 3.9.0 and < 3.9.14
An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs.
6.1MEDIUM
 CVE-2020-8420
>= 3.0.0 and < 3.9.15
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF v
8.8HIGH
 CVE-2020-8419
>= 3.0.0 and < 3.9.15
An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulne
8.8HIGH
 CVE-2011-3595
<= 1.7.0
Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, ass
5.4MEDIUM
 CVE-2011-4907
>= 1.5.0 and <= 1.5.12
Joomla! 1.5x through 1.5.12: Missing JEXEC Check
5.3MEDIUM
 CVE-2012-1563
< 2.5.3
Joomla! before 2.5.3 allows Admin Account Creation.
7.5HIGH
 CVE-2012-1562
< 2.5.3
Joomla! core before 2.5.3 allows unauthorized password change.
7.5HIGH
 CVE-2019-19846
>= 2.5.0 and <= 3.9.14
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vect
9.8CRITICAL
 CVE-2019-19845
>= 3.8.0 and < 3.9.14
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
5.3MEDIUM
 CVE-2019-18674
>= 3.6.0 and < 3.9.13
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclos
5.3MEDIUM
 CVE-2019-18650
>= 3.2.0 and <= 3.9.12
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
8.8HIGH
 CVE-2019-16725
>= 3.0.0 and < 3.9.12
In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
6.1MEDIUM
 CVE-2019-15028
>= 1.6.2 and < 3.9.11
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
5.3MEDIUM
 CVE-2019-14654
all versions
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering optio
8.8HIGH
 CVE-2019-12766
>= 3.6.0 and <= 3.9.6
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields
6.1MEDIUM
 CVE-2019-12765
>= 3.9.0 and <= 3.9.6
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
9.8CRITICAL
 CVE-2019-12764
>= 3.8.13 and < 3.9.7
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin u
6.5MEDIUM
 CVE-2019-11809
>= 1.7.0 and < 3.9.6
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which lea
6.1MEDIUM
 CVE-2019-11831
>= 3.9.3 and <= 3.9.5
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory
9.8CRITICAL
 CVE-2019-11358
>= 3.0.0 and <= 3.9.4
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec
6.1MEDIUM
 CVE-2019-10946
>= 3.2.0 and <= 3.9.4
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowi
7.5HIGH
 CVE-2019-10945
>= 1.5.0 and <= 3.9.4
An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allo
9.8CRITICAL
 CVE-2019-9714
>= 3.0.0 and < 3.9.4
An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS.
6.1MEDIUM
 CVE-2019-9713
>= 3.8.0 and < 3.9.4
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
7.5HIGH
 CVE-2019-9712
>= 3.2.0 and < 3.9.4
An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.
6.1MEDIUM
 CVE-2019-9711
>= 3.0.0 and < 3.9.4
An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.
6.1MEDIUM
 CVE-2019-7744
>= 2.5.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XS
6.1MEDIUM
 CVE-2019-7743
>= 2.5.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because th
9.8CRITICAL
 CVE-2019-7742
>= 1.0.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific
6.1MEDIUM
 CVE-2019-7741
>= 2.5.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS
6.1MEDIUM
 CVE-2019-7740
>= 2.5.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could le
6.1MEDIUM
 CVE-2019-7739
>= 2.5.0 and <= 3.9.2
An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuratio
6.1MEDIUM
 CVE-2019-6264
>= 2.5.0 and < 3.9.2
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability.
6.1MEDIUM
 CVE-2019-6263
>= 2.5.0 and < 3.9.2
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored
4.8MEDIUM
 CVE-2019-6262
>= 2.5.0 and < 3.9.2
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS
5.4MEDIUM
 CVE-2019-6261
>= 2.5.0 and < 3.9.2
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability.
6.1MEDIUM
 CVE-2018-17859
>= 2.5.0 and < 3.8.13
An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms.
4.3MEDIUM
 CVE-2018-17858
>= 2.5.0 and < 3.8.13
An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.
8.8HIGH
 CVE-2018-17857
>= 3.1.0 and < 3.8.13
An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violatio
4.3MEDIUM
 CVE-2018-17856
>= 2.5.4 and < 3.8.13
An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config
7.2HIGH
 CVE-2018-17855
>= 1.5.0 and < 3.8.13
An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin
8.8HIGH
 CVE-2018-15882
< 3.8.12
An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared pha
9.8CRITICAL
 CVE-2018-15881
< 3.8.12
An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.
7.5HIGH
 CVE-2018-15880
< 3.8.12
An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS
5.4MEDIUM
 CVE-2018-12712
>= 2.5.0 and <= 3.8.8
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "c
8.8HIGH
 CVE-2018-12711
>= 1.6.0 and <= 3.8.8
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link o
6.1MEDIUM
 CVE-2018-6378
< 3.8.8
In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manag
6.1MEDIUM
 CVE-2018-11328
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a user
4.7MEDIUM
 CVE-2018-11327
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either un
4.3MEDIUM
 CVE-2018-11326
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Addition
4.8MEDIUM
 CVE-2018-11325
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a fo
9.8CRITICAL
 CVE-2018-11324
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extensi
5.9MEDIUM
 CVE-2018-11323
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups w
8.8HIGH
 CVE-2018-11322
< 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as execut
7.5HIGH
 CVE-2018-11321
< 3.8.8
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom
6.5MEDIUM
 CVE-2018-8045
>= 3.5.0 and <= 3.8.5
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability i
8.8HIGH
 CVE-2018-6380
< 3.8.4
In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
6.1MEDIUM
 CVE-2018-6379
< 3.8.4
In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.
6.1MEDIUM
 CVE-2018-6377
< 3.8.4
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., lis
6.1MEDIUM
 CVE-2018-6376
< 3.8.4
In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the H
9.8CRITICAL
 CVE-2017-16634
>= 3.2.0 and <= 3.8.1
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.
9.8CRITICAL
 CVE-2017-16633
>= 3.7.0 and <= 3.8.1
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized user
4.3MEDIUM
 CVE-2017-14596
all versions
In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and passwo
9.8CRITICAL
 CVE-2017-14595
all versions
In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in
3.7LOW
 CVE-2015-5608
all versions
Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.
6.1MEDIUM
 CVE-2017-11364
all versions
The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated user
8.8HIGH
 CVE-2017-11612
all versions
In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various component
6.1MEDIUM
 CVE-2017-9934
all versions
Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.
6.1MEDIUM
 CVE-2017-9933
all versions
Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.
7.5HIGH
 CVE-2017-8917
all versions
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vecto
9.8CRITICAL
 CVE-2017-8057
all versions
In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporti
5.3MEDIUM
 CVE-2017-7989
all versions
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even
6.5MEDIUM
 CVE-2017-7988
all versions
In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article
5.3MEDIUM
 CVE-2017-7987
all versions
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the
6.1MEDIUM
 CVE-2017-7986
all versions
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in
6.1MEDIUM
 CVE-2017-7985
>= 1.5.0 and <= 3.6.5
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in vari
6.1MEDIUM
 CVE-2017-7984
all versions
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.
6.1MEDIUM
 CVE-2017-7983
all versions
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail heade
5.3MEDIUM
 CVE-2016-9081
all versions
Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other us
9.8CRITICAL
 CVE-2016-10045
>= 1.5.0 and <= 3.6.5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and cons
9.8CRITICAL
 CVE-2016-10033
>= 1.5.0 and <= 3.6.5
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to
9.8CRITICAL
 CVE-2016-9838
<= 3.6.4
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registrati
7.5HIGH
 CVE-2016-9837
<= 3.6.4
An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions ch
7.5HIGH
 CVE-2016-9836
<= 3.6.4
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file exten
9.8CRITICAL
 CVE-2016-8870
<= 3.6.3
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, wh
8.1HIGH
 CVE-2016-8869
<= 3.6.3
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 all
9.8CRITICAL
 CVE-2015-8769
all versions
SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors
7.3HIGH
 CVE-2015-8565
all versions
Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecifie
 CVE-2015-8564
all versions
Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory t
 CVE-2015-8563
all versions
Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4
 CVE-2015-8562
all versions
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP
 CVE-2015-7899
all versions
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensit
 CVE-2015-7859
all versions
The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain
 CVE-2015-7858
all versions
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified
 CVE-2015-7857
all versions
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joom
 CVE-2015-7297
all versions
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified
 CVE-2015-6939
all versions
Cross-site scripting (XSS) vulnerability in the login module in Joomla! 3.4.x before 3.4.4 allows remote attackers to inject arbit
 CVE-2015-5397
all versions
Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to h
 CVE-2015-4654
all versions
SQL injection vulnerability in the EQ Event Calendar component for Joomla! allows remote attackers to execute arbitrary SQL comman
 CVE-2014-7228
all versions
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup f
 CVE-2012-2413
<= 1.5.26
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to injec
 CVE-2014-7984
all versions
Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via
 CVE-2014-7983
all versions
Cross-site scripting (XSS) vulnerability in com_contact in Joomla! CMS 3.1.2 through 3.2.x before 3.2.3 allows remote attackers to
 CVE-2014-7982
all versions
Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to inject
 CVE-2014-7981
all versions
SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands
 CVE-2014-7229
all versions
Unspecified vulnerability in Joomla! before 2.5.4 before 2.5.26, 3.x before 3.2.6, and 3.3.x before 3.3.5 allows attackers to caus
 CVE-2014-6632
all versions
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended
 CVE-2014-6631
all versions
Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x before 3.2.5 and 3.3.x before 3.3.4 allows remote attackers
 CVE-2013-5583
all versions
Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject
 CVE-2013-5576
all versions
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allo
 CVE-2013-3267
all versions
Cross-site scripting (XSS) vulnerability in the highlighter plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows re
 CVE-2013-3242
all versions
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obta
 CVE-2013-3059
all versions
Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote
 CVE-2013-3058
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject a
 CVE-2013-3057
all versions
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and
 CVE-2013-3056
all versions
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and
 CVE-2013-1455
all versions
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an "Undefined vari
 CVE-2013-1454
all versions
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to "Coding errors."
 CVE-2013-1453
all versions
plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbi
 CVE-2012-1599
all versions
Joomla! 1.5.x before 1.5.26 does not properly check permissions, which allows attackers to obtain sensitive "administrative back e
 CVE-2012-1598
all versions
Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset v
 CVE-2012-5827
all versions
Joomla! 2.5.x before 2.5.8 and 3.0.x before 3.0.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors
 CVE-2012-4532
all versions
Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher module for Joomla! 2.5
 CVE-2012-4531
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or H
 CVE-2012-5455
all versions
Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to injec
 CVE-2011-4911
<= 1.5.11
Joomla! before 1.5.12 does not perform a JEXEC check in unspecified files, which allows remote attackers to obtain the installatio
 CVE-2011-4910
<= 1.5.11
Cross-site scripting (XSS) vulnerability in Joomla! before 1.5.12 allows remote attackers to inject arbitrary web script or HTML v
 CVE-2011-4909
<= 1.5.11
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script
 CVE-2012-1117
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.0 and 2.5.1 allows remote attackers to inject arbitrary web script or HTML
 CVE-2012-1116
all versions
SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via
 CVE-2012-1612
all versions
Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arb
 CVE-2012-1611
all versions
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive "administrative back en
 CVE-2012-0837
all versions
Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain the installation path via unspecified vectors related
 CVE-2012-0836
all versions
Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 allows attackers to read the error log via unknown vectors.
 CVE-2012-0835
all versions
Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain sensitive information vi
 CVE-2012-0822
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 1.6 and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web scr
 CVE-2012-0821
all versions
Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to obtain sensitive information via unkn
 CVE-2012-0820
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web s
 CVE-2012-0819
all versions
Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to obtain sensitive information via unkn
 CVE-2006-7247
<= 1.0.9
SQL injection vulnerability in the Weblinks (com_weblinks) component for Joomla! and Mambo 1.0.9 and earlier allows remote attacke
 CVE-2012-3829
all versions
Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header.
 CVE-2012-3828
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the H
 CVE-2012-2748
all versions
Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to obtain sensitive information via vectors relate
 CVE-2012-2747
all versions
Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to gain privileges via unknown attack vectors rela
 CVE-2011-4332
<= 1.6.3
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web sc
 CVE-2011-4321
all versions
The password reset functionality in Joomla! 1.5.x through 1.5.24 uses weak random numbers, which makes it easier for remote attack
 CVE-2010-4938
all versions
SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL c
 CVE-2011-3747
all versions
Joomla! 1.6.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the insta
 CVE-2011-2892
all versions
Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier fo
 CVE-2011-2891
all versions
Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.ph
 CVE-2011-2890
<= 1.5.23
The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remo
 CVE-2011-2889
<= 1.5.22
templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified v
 CVE-2011-2710
<= 1.6.6
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script
 CVE-2011-2509
<= 1.6.3
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script
 CVE-2011-2488
<= 1.5.22
Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspec
 CVE-2010-4696
all versions
Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via
 CVE-2010-4166
all versions
Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via
 CVE-2010-3712
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x before 1.5.21 and 1.6.x before 1.6.1 allows remote attackers to inject a
 CVE-2010-2535
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the Back End in Joomla! 1.5.x before 1.5.20 allow remote authenticated user
 CVE-2010-2679
all versions
SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL c
 CVE-2010-1649
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the back end in Joomla! 1.5 through 1.5.17 allow remote attackers to inject
 CVE-2009-3946
<= 1.5.14
Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number,
 CVE-2009-3945
<= 1.5.14
Unspecified vulnerability in the Front-End Editor in the com_content component in Joomla! before 1.5.15 allows remote authenticate
 CVE-2008-6852
all versions
SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbit
 CVE-2009-1940
all versions
Cross-site scripting (XSS) vulnerability in the administrator panel in the com_users core component for Joomla! 1.5.x through 1.5.
 CVE-2009-1939
all versions
Cross-site scripting (XSS) vulnerability in the JA_Purity template for Joomla! 1.5.x through 1.5.10 allows remote attackers to inj
 CVE-2009-1938
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or
 CVE-2009-1499
all versions
SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL c
 CVE-2009-1280
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in the com_media component for Joomla! 1.5.x through 1.5.9 allow remote
 CVE-2009-1279
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 through 1.5.9 allow remote attackers to inject arbitrary web sc
 CVE-2008-6299
<= 1.5.7
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5.7 and earlier allow remote authenticated users with certain pri
 CVE-2009-0378
all versions
Cross-site scripting (XSS) vulnerability in index.php in the beamospetition (com_beamospetition) 1.0.12 component for Joomla! allo
 CVE-2009-0377
all versions
SQL injection vulnerability in the beamospetition (com_beamospetition) 1.0.12 component for Joomla! allows remote attackers to exe
 CVE-2008-4122
all versions
Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers
7.5HIGH
 CVE-2008-5671
<= 1.0.14
PHP remote file inclusion vulnerability in index.php in Joomla! 1.0.11 through 1.0.14, when RG_EMULATION is enabled in configurati
 CVE-2008-4105
all versions
JRequest in Joomla! 1.5 before 1.5.7 does not sanitize variables that were set with JRequest::setVar, which allows remote attacker
 CVE-2008-4104
all versions
Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 allow remote attackers to redirect users to arbitrary web sites
 CVE-2008-4102
all versions
Joomla! 1.5 before 1.5.7 initializes PHP's PRNG with a weak seed, which makes it easier for attackers to guess the pseudo-random v
 CVE-2008-3228
<= 1.5.3
Joomla! before 1.5.4 does not configure .htaccess to apply certain security checks that "block common exploits" to SEF URLs, which
 CVE-2008-3227
<= 1.5.3
Unspecified vulnerability in Joomla! before 1.5.4 has unknown impact and attack vectors related to a "User Redirect Spam fix," pos
 CVE-2008-3226
<= 1.5.3
The file caching implementation in Joomla! before 1.5.4 allows attackers to access cached pages via unknown attack vectors.
 CVE-2008-3225
<= 1.5.3
Joomla! before 1.5.4 allows attackers to access administration functionality, which has unknown impact and attack vectors related
 CVE-2008-3132
all versions
SQL injection vulnerability in the beamospetition (com_beamospetition) component for Joomla! allows remote attackers to execute ar
 CVE-2008-2990
all versions
PHP remote file inclusion vulnerability in facileforms.frame.php in the FacileForms (com_facileforms) component 1.4.4 for Mambo an
 CVE-2008-2676
all versions
SQL injection vulnerability in the iJoomla News Portal (com_news_portal) component 1.0 and earlier for Joomla! allows remote attac
 CVE-2008-2633
all versions
Multiple SQL injection vulnerabilities in the EXP JoomRadio (com_joomradio) component 1.0 for Joomla! allow remote attackers to ex
 CVE-2008-2632
all versions
SQL injection vulnerability in the acctexp (com_acctexp) component 0.12.x and earlier for Joomla! allows remote attackers to execu
 CVE-2008-2568
all versions
SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component 3.4 and earlier for Joomla! allows remote attacke
 CVE-2008-2564
all versions
SQL injection vulnerability in the JotLoader (com_jotloader) component 1.2.1.a and earlier for Joomla! allows remote attackers to
 CVE-2008-1935
all versions
SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands v
 CVE-2008-1533
<= 1.5
Unspecified vulnerability in the XML-RPC Blogger API plugin in Joomla! 1.5 allows remote attackers to perform unauthorized article
 CVE-2008-0918
all versions
SQL injection vulnerability in includes/count_dl_or_link.inc.php in the astatsPRO (com_astatspro) 1.0.1 component for Joomla! allo
 CVE-2008-0849
all versions
SQL injection vulnerability in index.php in the Downloads (com_downloads) component for Mambo and Joomla! allows remote attackers
 CVE-2008-0839
all versions
SQL injection vulnerability in refer.php in the astatsPRO (com_astatspro) 1.0 component for Joomla! allows remote attackers to exe
 CVE-2008-0829
all versions
SQL injection vulnerability in jooget.php in the Joomlapixel Jooget! (com_jooget) 2.6.8 component for Joomla! and Mambo allows rem
 CVE-2008-0795
all versions
SQL injection vulnerability in index.php in the MGFi XfaQ (com_xfaq) 1.2 component for Mambo and Joomla! allows remote attackers t
 CVE-2008-0652
all versions
SQL injection vulnerability in index.php in the Downloads (com_downloads) component for Mambo and Joomla! allows remote attackers
 CVE-2008-0561
all versions
SQL injection vulnerability in index.php in the Arthur Konze AkoGallery (com_akogallery) 2.5 beta component for Mambo and Joomla!
 CVE-2008-0517
all versions
SQL injection vulnerability in index.php in the Darko Selesi EstateAgent (com_estateagent) 0.1 component for Mambo 4.5.x and Jooml
 CVE-2007-6645
all versions
Unspecified vulnerability in Joomla! before 1.5 RC4 allows remote authenticated users to gain privileges via unspecified vectors,
 CVE-2007-6644
all versions
Joomla! before 1.5 RC4 allows remote authenticated administrators to promote arbitrary users to the administrator group, in violat
 CVE-2007-6643
all versions
Cross-site scripting (XSS) vulnerability in the com_poll component in Joomla! before 1.5 RC4 allows remote attackers to inject arb
 CVE-2007-6642
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in Joomla! before 1.5 RC4 allow remote attackers to (1) add a Super Adm
 CVE-2007-6362
all versions
SQL injection vulnerability in index.php in the RSGallery (com_rsgallery) 2.0 beta 5 and earlier component for Mambo and Joomla! a
 CVE-2007-6272
all versions
Multiple SQL injection vulnerabilities in index.php in Joomla! 1.5 RC3 allow remote attackers to execute arbitrary SQL commands vi
 CVE-2007-5577
< 1.0.13
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitr
 CVE-2007-5457
all versions
Multiple PHP remote file inclusion vulnerabilities in Michael Dempfle Joomla Flash Uploader (com_jfu or com_joomla_flash_uploader)
 CVE-2007-5451
all versions
PHP remote file inclusion vulnerability in admin.color.php in the com_colorlab (aka com_color) 1.0 component for Joomla! allows re
 CVE-2007-5427
<= 1.0.13
Cross-site scripting (XSS) vulnerability in the com_search component in Joomla! 1.0.13 and earlier allows remote attackers to inje
 CVE-2007-5410
all versions
PHP remote file inclusion vulnerability in admin.wmtrssreader.php in the webmaster-tips.net Flash RSS Reader (com_wmtrssreader) 1.
 CVE-2007-5389
all versions
PHP remote file inclusion vulnerability in preview.php in the swMenuFree (com_swmenufree) 4.6 component for Joomla! allows remote
 CVE-2007-5363
all versions
PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0
 CVE-2007-5362
all versions
Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite (com_mosmedia) 4.5.1 component for M
 CVE-2007-5310
all versions
PHP remote file inclusion vulnerability in admin.wmtportfolio.php in the webmaster-tips.net wmtportfolio 1.0 (com_wmtportfolio) co
 CVE-2007-5309
all versions
PHP remote file inclusion vulnerability in admin.wmtgallery.php in the webmaster-tips.net Flash Image Gallery (com_wmtgallery) 1.0
 CVE-2007-5065
all versions
PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allo
 CVE-2007-4781
all versions
administrator/index.php in the installer component (com_installer) in Joomla! 1.5 Beta1, Beta2, and RC1 allows remote authenticate
 CVE-2007-4780
all versions
Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to obtain sensitive information (the full path) via unspecified vecto
 CVE-2007-4779
all versions
Cross-site scripting (XSS) vulnerability in Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to inject arbitrary web s
 CVE-2007-4778
all versions
Multiple SQL injection vulnerabilities in the content component (com_content) in Joomla! 1.5 Beta1, Beta2, and RC1 allow remote at
 CVE-2007-4777
all versions
SQL injection vulnerability in Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to execute arbitrary SQL commands via
 CVE-2007-4190
< 1.0.13
CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and p
 CVE-2007-4189
< 1.0.13
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitr
 CVE-2007-4188
< 1.0.13
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web session
 CVE-2007-4187
all versions
Multiple eval injection vulnerabilities in the com_search component in Joomla! 1.5 beta before RC1 (aka Mapya) allow remote attack
 CVE-2007-4185
all versions
Joomla! 1.0.12 allows remote attackers to obtain sensitive information via a direct request for (1) Stat.php (2) OutputFilter.php,
 CVE-2007-4184
all versions
SQL injection vulnerability in administrator/popups/pollwindow.php in Joomla! 1.0.12 allows remote attackers to execute arbitrary
 CVE-2007-2199
all versions
PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blav
 CVE-2006-7126
all versions
SQL injection vulnerability in Joomla BSQ Sitestats 1.8.0 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via
 CVE-2006-7125
all versions
Cross-site scripting (XSS) vulnerability in Joomla BSQ Sitestats 1.8.0 and 2.2.1 allows remote attackers to inject arbitrary web s
 CVE-2006-7124
all versions
PHP remote file inclusion vulnerability in external/rssfeeds.php in BSQ Sitestats (component for Joomla) 1.8.0, and possibly other
 CVE-2006-7123
all versions
Multiple SQL injection vulnerabilities in BSQ Sitestats (component for Joomla) 1.8.0, and possibly other versions before 2.2.1, al
 CVE-2006-7122
all versions
Cross-site scripting (XSS) vulnerability in the IP Address Lookup functionality in BSQ Sitestats (component for Joomla) 1.8.0, and
 CVE-2006-7010
all versions
The mosgetparam implementation in Joomla! before 1.0.10, does not set a variable's data type to integer when the variable's defaul
 CVE-2006-7009
all versions
Joomla! before 1.0.10 allows remote attackers to spoof the frontend submission forms, which has unknown impact and attack vectors.
 CVE-2006-7008
all versions
Unspecified vulnerability in Joomla! before 1.0.10 has unknown impact and attack vectors, related to "securing mosmsg from misuse.
 CVE-2006-6962
all versions
PHP remote file inclusion vulnerability in rsgallery2.html.php in the RS Gallery2 component (com_rsgallery2) 1.11.2 for Joomla! al
 CVE-2007-0387
all versions
SQL injection vulnerability in models/category.php in the Weblinks component for Joomla! SVN 20070118 (com_weblinks) allows remote
 CVE-2007-0375
all versions
Joomla! 1.5.0 Beta allows remote attackers to obtain sensitive information via a direct request for (1) plugins/user/example.php;
 CVE-2007-0374
all versions
SQL injection vulnerability in (1) Joomla! 1.0.11 and 1.5 Beta, and (2) Mambo 4.6.1, allows remote attackers to execute arbitrary
 CVE-2007-0373
all versions
Multiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow remote attackers to execute arbitrary SQL commands via (1) the
 CVE-2006-6834
all versions
Multiple unspecified vulnerabilities in Joomla! before 1.0.12 have unknown impact and attack vectors related to (1) "unneeded lega
 CVE-2006-6833
all versions
com_categories in Joomla! before 1.0.12 does not validate input, which has unknown impact and remote attack vectors.
 CVE-2006-6832
all versions
Cross-site scripting (XSS) vulnerability in Joomla! before 1.0.12 allows remote attackers to inject arbitrary web script or HTML v
 CVE-2006-5047
<= 1.11.2_alpha
Unspecified vulnerability in rsgallery2.html.php in RS Gallery2 component (com_rsgallery2) before 1.11.3 for Joomla! allows attack
 CVE-2006-5046
<= 1.11.3_alpha
Unspecified vulnerability in RS Gallery2 (com_rsgallery2) 1.11.3 and earlier for Joomla! has unspecified impact and attack vectors
 CVE-2006-4995
all versions
PHP remote file inclusion vulnerability in BSQ Sitestats (bsq_sitestats) before 2.1.1 for Joomla! allows remote attackers to execu
 CVE-2006-4476
<= 1.0.10
Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to "Injection Flaws," allow attackers to have an unknown im
 CVE-2006-4475
<= 1.0.10
Joomla! before 1.0.11 does not limit access to the Admin Popups functionality, which has unknown impact and attack vectors.
 CVE-2006-4474
<= 1.0.10
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.11 allow remote attackers to inject arbitrary web script
 CVE-2006-4473
<= 1.0.10
Unspecified vulnerability in com_content in Joomla! before 1.0.11, when $mosConfig_hideEmail is set, allows attackers to perform t
 CVE-2006-4472
< 1.0.11
Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow attackers to bypass user authentication via unknown vectors in
 CVE-2006-4471
< 1.0.11
The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to upload files outside of the /im
 CVE-2006-4470
< 1.0.11
Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defined, which allows attackers to have an unknown impact, possi
 CVE-2006-4469
< 1.0.11
Unspecified vulnerability in PEAR.php in Joomla! before 1.0.11 allows remote attackers to perform "remote execution," related to "
 CVE-2006-4468
< 1.0.11
Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown im
 CVE-2006-4466
<= 1.0.10
Joomla! before 1.0.11 does not properly unset variables when the input data includes a numeric parameter with a value matching an
 CVE-2006-3481
all versions
Multiple SQL injection vulnerabilities in Joomla! before 1.0.10 allow remote attackers to execute arbitrary SQL commands via unspe
 CVE-2006-3480
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.10 allow remote attackers to inject arbitrary web script
 CVE-2006-2960
all versions
PHP remote file inclusion vulnerability in includes/joomla.php in Joomla! 1.0 allows remote attackers to execute arbitrary PHP cod
 CVE-2006-1957
all versions
The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption a
 CVE-2006-1956
all versions
The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to obtain sensitive information via an invalid f
 CVE-2006-1049
<= 1.0.7
Multiple SQL injection vulnerabilities in the Admin functionality in Joomla! 1.0.7 and earlier allow remote authenticated administ
 CVE-2006-1048
all versions
Joomla! 1.0.7 and earlier allows attackers to bypass intended access restrictions and gain certain privileges via certain attack v
 CVE-2006-1047
all versions
Unspecified vulnerability in the "Remember Me login functionality" in Joomla! 1.0.7 and earlier has unknown impact and attack vect
 CVE-2006-1030
all versions
Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via an u
 CVE-2006-1029
all versions
The cross-site scripting (XSS) countermeasures in class.inputfilter.php in Joomla! 1.0.7 allow remote attackers to cause a denial
 CVE-2006-1028
all versions
feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to cause a denial of service (stres
 CVE-2006-1027
all versions
feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via
 CVE-2006-0303
all versions
Multiple unspecified vulnerabilities in the (1) publishing component, (2) Contact Component, (3) TinyMCE Compressor, and (4) other
 CVE-2006-0114
all versions
The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows re
 CVE-2005-4650
all versions
Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resourc
5.3MEDIUM
 CVE-2005-3773
all versions
Unspecified vulnerability in Joomla! before 1.0.4 has unknown impact and attack vectors, related to "Potential misuse of Media com
 CVE-2005-3772
all versions
Multiple SQL injection vulnerabilities in Joomla! before 1.0.4 allow remote attackers to execute arbitrary SQL commands via the (1
 CVE-2005-3771
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.4 allow remote attackers to inject arbitrary web script
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin