Skip to content
Threat Feed
high advisory

Multiple Vulnerabilities Discovered in Joomla! CMS

Multiple vulnerabilities, including several Cross-Site Scripting (XSS) flaws and incorrect access control issues, have been discovered in Joomla! versions 6.x prior to 6.1.2 and 5.x prior to 5.4.7, which could allow an attacker to bypass security policies, compromise data confidentiality and integrity, and perform remote indirect code injection.

On July 8, 2026, the French National Cybersecurity Agency (ANSSI) CERT-FR issued an advisory detailing multiple vulnerabilities impacting the Joomla! Content Management System. These flaws affect Joomla! 6.x versions earlier than 6.1.2 and Joomla! 5.x versions earlier than 5.4.7. The vulnerabilities encompass various Cross-Site Scripting (XSS) issues and several instances of incorrect access control within components like com-media-webservice-endpoints, com-contact-vcf-download, com-workflow, com-modules, com-privacy-webservice-endpoints, and com-fields-webservice-endpoints. Successful exploitation could lead to breaches of data confidentiality, compromises of data integrity, remote indirect code injection, and a general bypass of security policies, potentially granting unauthorized access or control over the affected Joomla! instance and its data. Organizations running vulnerable versions of Joomla! are urged to apply patches immediately to mitigate these risks.

Attack Chain

  1. An unauthenticated or low-privileged attacker identifies a vulnerable Joomla! instance.
  2. The attacker crafts a malicious request targeting specific Joomla! components, such as com-templates or com-installer, containing XSS payloads.
  3. The crafted request leverages the XSS vulnerability (e.g., CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, CVE-2026-48954) to inject malicious client-side script into web pages viewed by other users, including administrators.
  4. Alternatively, the attacker exploits incorrect access control vulnerabilities (e.g., CVE-2026-48947, CVE-2026-48948, CVE-2026-48955, CVE-2026-48956, CVE-2026-48957, CVE-2026-48958) in various webservice endpoints or components.
  5. Through XSS, the attacker compromises legitimate user sessions, potentially stealing cookies, session tokens, or performing actions on behalf of the victim.
  6. Through incorrect access control, the attacker gains unauthorized access to sensitive data, modifies system configurations, or manipulates content, leading to data confidentiality and integrity breaches.

Impact

The identified vulnerabilities could result in significant damage to affected organizations. Successful exploitation of the Cross-Site Scripting (XSS) flaws can lead to session hijacking, defacement, or redirection, potentially exposing administrative credentials or sensitive user data. The incorrect access control vulnerabilities could allow unauthorized users to view, modify, or delete critical information, leading to data breaches or integrity compromises. While no specific victim count or targeted sectors were detailed in the advisory, any organization utilizing vulnerable Joomla! versions is at risk of unauthorized data access, website defacement, and potential regulatory non-compliance due to data exposure.

Recommendation

  • Prioritize patching all affected Joomla! installations to versions 6.1.2 or later, or 5.4.7 or later, as recommended in the CERTFR-2026-AVI-0847 advisory.
  • Review web server access logs for unusual requests containing script-like characters in parameters, especially for URLs related to com-templates, com-installer, or other components mentioned in the Joomla! security bulletins.
  • Implement a robust Web Application Firewall (WAF) to detect and block malicious requests attempting to exploit CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, and CVE-2026-48954.
  • Regularly back up Joomla! databases and file systems to ensure data integrity can be restored in case of a successful exploit leading to data corruption or loss.

Indicators of compromise

24

url

TypeValue
urlhttps://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html
urlhttps://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html
urlhttps://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html
urlhttps://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html
urlhttps://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html
urlhttps://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html
urlhttps://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html
urlhttps://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html
urlhttps://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html
urlhttps://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html
urlhttps://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html
urlhttps://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48947
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48948
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48949
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48950
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48951
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48952
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48953
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48954
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48955
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48956
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48957
urlhttps://www.cve.org/CVERecord?id=CVE-2026-48958