Multiple vulnerabilities in Joomla! (July 08, 2026)
Multiple vulnerabilities have been discovered in Joomla!. Some of them allow an attacker to cause data confidentiality breaches, data integrity breaches, and remote indirect code injection (XSS).
CSIRTS triage
- What
- Multiple vulnerabilities can lead to data confidentiality breaches, data integrity breaches, and remote indirect code injection (XSS).
- Who is affected
- Users of Joomla! installations.
- Urgency
- Remediation is necessary as these vulnerabilities could compromise user data.
- Action
- Users should update to the latest version of Joomla! to mitigate these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Joomla!
Get an email when a new Joomla! advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0847/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-489570.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
- Low exploitation riskCVE-2026-489500.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489530.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489480.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
- Low exploitation riskCVE-2026-489490.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489560.17% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 6% of all scored CVEs.
- Low exploitation riskCVE-2026-489580.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all scored CVEs.
- Low exploitation riskCVE-2026-489510.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489540.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489550.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48957 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48950 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48953 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48948 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48949 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48956 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48958 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48951 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48954 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48955 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48947 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48952 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[NEW] [high] Joomla: Multiple vulnerabilitiescert-bund
- highCVE-2026-48958: An improper access check allows unauthorized users to create custom fields via webservices end…nvd
- highCVE-2026-48957: An improper access check allows unauthorized users to access com_privacy datasets.nvd
- mediumCVE-2026-48956: An improper access check allows users to display a list of modules in the frontend.nvd
- mediumCVE-2026-48955: An improper access check allows unauthorized users to access workflow stage and transition inf…nvd
- mediumCVE-2026-48954: Improper validation leads to a generic XSS vector in the language override feature.nvd
- mediumCVE-2026-48953: Lack of escaping leads to an XSS vulnerability in the generic image output layout.nvd
- mediumCVE-2026-48952: Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.nvd
- mediumCVE-2026-48951: Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.nvd
- mediumCVE-2026-48950: Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.nvd
- mediumCVE-2026-48949: Lack of validation leads to an XSS vulnerability in the MFA management views.nvd
- highCVE-2026-48948: An improper access check allows user to download vcard exports of com_contact contacts that ar…nvd
Recent advisories for Joomla!
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…nvd · 2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…nvd · 2026-07-11
- highCVE-2026-56292: A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting t…nvd · 2026-07-09
- criticalexploitedCVE-2026-56291: The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload t…nvd · 2026-07-09
- medium[UPDATE] [medium] Joomla: Multiple vulnerabilitiescert-bund · 2026-07-09
- medium[UPDATE] [medium] Joomla: Multiple vulnerabilitiescert-bund · 2026-07-09
More from CERT-FR Avis de sécurité
- unknownMultiple vulnerabilities in Red Hat Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Ubuntu Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Progress MOVEit Transfer (July 10, 2026)2026-07-10
- unknownVulnerability in NetApp ONTAP 9 (July 10, 2026)2026-07-10
- unknownVulnerability in CPython (July 10, 2026)2026-07-10