Multiple Vulnerabilities Discovered in Joomla! CMS
Multiple vulnerabilities, including several Cross-Site Scripting (XSS) flaws and incorrect access control issues, have been discovered in Joomla! versions 6.x prior to 6.1.2 and 5.x prior to 5.4.7, which could allow an attacker to bypass security policies, compromise data confidentiality and integrity, and perform remote indirect code injection.
On July 8, 2026, the French National Cybersecurity Agency (ANSSI) CERT-FR issued an advisory detailing multiple vulnerabilities impacting the Joomla! Content Management System. These flaws affect Joomla! 6.x versions earlier than 6.1.2 and Joomla! 5.x versions earlier than 5.4.7. The vulnerabilities encompass various Cross-Site Scripting (XSS) issues and several instances of incorrect access control within components like com-media-webservice-endpoints, com-contact-vcf-download, com-workflow, com-modules, com-privacy-webservice-endpoints, and com-fields-webservice-endpoints. Successful exploitation could lead to breaches of data confidentiality, compromises of data integrity, remote indirect code injection, and a general bypass of security policies, potentially granting unauthorized access or control over the affected Joomla! instance and its data. Organizations running vulnerable versions of Joomla! are urged to apply patches immediately to mitigate these risks.
Attack Chain
- An unauthenticated or low-privileged attacker identifies a vulnerable Joomla! instance.
- The attacker crafts a malicious request targeting specific Joomla! components, such as
com-templatesorcom-installer, containing XSS payloads. - The crafted request leverages the XSS vulnerability (e.g., CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, CVE-2026-48954) to inject malicious client-side script into web pages viewed by other users, including administrators.
- Alternatively, the attacker exploits incorrect access control vulnerabilities (e.g., CVE-2026-48947, CVE-2026-48948, CVE-2026-48955, CVE-2026-48956, CVE-2026-48957, CVE-2026-48958) in various webservice endpoints or components.
- Through XSS, the attacker compromises legitimate user sessions, potentially stealing cookies, session tokens, or performing actions on behalf of the victim.
- Through incorrect access control, the attacker gains unauthorized access to sensitive data, modifies system configurations, or manipulates content, leading to data confidentiality and integrity breaches.
Impact
The identified vulnerabilities could result in significant damage to affected organizations. Successful exploitation of the Cross-Site Scripting (XSS) flaws can lead to session hijacking, defacement, or redirection, potentially exposing administrative credentials or sensitive user data. The incorrect access control vulnerabilities could allow unauthorized users to view, modify, or delete critical information, leading to data breaches or integrity compromises. While no specific victim count or targeted sectors were detailed in the advisory, any organization utilizing vulnerable Joomla! versions is at risk of unauthorized data access, website defacement, and potential regulatory non-compliance due to data exposure.
Recommendation
- Prioritize patching all affected Joomla! installations to versions 6.1.2 or later, or 5.4.7 or later, as recommended in the CERTFR-2026-AVI-0847 advisory.
- Review web server access logs for unusual requests containing script-like characters in parameters, especially for URLs related to
com-templates,com-installer, or other components mentioned in the Joomla! security bulletins. - Implement a robust Web Application Firewall (WAF) to detect and block malicious requests attempting to exploit CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, and CVE-2026-48954.
- Regularly back up Joomla! databases and file systems to ensure data integrity can be restored in case of a successful exploit leading to data corruption or loss.
Indicators of compromise
24
url
| Type | Value |
|---|---|
| url | https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html |
| url | https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html |
| url | https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html |
| url | https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html |
| url | https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html |
| url | https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html |
| url | https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html |
| url | https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html |
| url | https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html |
| url | https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html |
| url | https://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html |
| url | https://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48947 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48948 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48949 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48950 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48951 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48952 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48953 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48954 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48955 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48956 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48957 |
| url | https://www.cve.org/CVERecord?id=CVE-2026-48958 |