Joomla: community verdicts
14 notable / known-exploited Joomla CVEs the community has triaged.
- CVE-2023-23752MED 5.3KEVEPSS 100%
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
- CVE-2016-10033CRIT 9.8KEVEPSS 100%
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
- CVE-2026-48958HIGH 8.8Real · low riskEPSS 0%
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
- CVE-2026-48950MED 6.1EPSS 0%
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
- CVE-2026-48949MED 6.1EPSS 0%
Lack of validation leads to an XSS vulnerability in the MFA management views.
- CVE-2026-48953MED 6.1EPSS 0%
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
- CVE-2026-48952MED 6.1EPSS 0%
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
- CVE-2026-48951MED 6.1EPSS 0%
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
- CVE-2026-48954MED 6.1EPSS 0%
Improper validation leads to a generic XSS vector in the language override feature.
- CVE-2026-48957HIGH 8.8Real · low riskEPSS 0%
An improper access check allows unauthorized users to access com_privacy datasets.
- CVE-2026-48948HIGH 8.8Real · low riskEPSS 0%
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
- CVE-2026-48955MED 6.5EPSS 0%
An improper access check allows unauthorized users to access workflow stage and transition information.
- CVE-2026-48956MED 5EPSS 0%
An improper access check allows users to display a list of modules in the frontend.
- CVE-2026-48947MED 4.9EPSS 0%
An improper access check allows privileged users to overwrite media files without editing permissions.