[NEW] [high] Joomla: Multiple vulnerabilities
A remote attacker can exploit multiple vulnerabilities in Joomla to perform a cross-site scripting attack and bypass security mechanisms.
CSIRTS triage
- What
- Multiple vulnerabilities allow a remote attacker to perform cross-site scripting and bypass security mechanisms.
- Who is affected
- Users of Joomla are affected.
- Urgency
- Remediation is urgent due to the high severity and potential for exploitation.
- Action
- Update to the latest version of Joomla.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Joomla
Get an email when a new Joomla advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2238
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-489490.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489500.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489510.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489520.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489530.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489540.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all scored CVEs.
- Low exploitation riskCVE-2026-489470.20% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 10% of all scored CVEs.
- Low exploitation riskCVE-2026-489480.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
- Low exploitation riskCVE-2026-489550.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
- Low exploitation riskCVE-2026-489560.17% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 6% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48949 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48950 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48951 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48952 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48953 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48954 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48947 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48948 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48955 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48956 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48957 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-48958 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownMultiple vulnerabilities in Joomla! (July 08, 2026)cert-fr-avis
- highCVE-2026-48958: An improper access check allows unauthorized users to create custom fields via webservices end…nvd
- highCVE-2026-48957: An improper access check allows unauthorized users to access com_privacy datasets.nvd
- mediumCVE-2026-48956: An improper access check allows users to display a list of modules in the frontend.nvd
- mediumCVE-2026-48955: An improper access check allows unauthorized users to access workflow stage and transition inf…nvd
- mediumCVE-2026-48954: Improper validation leads to a generic XSS vector in the language override feature.nvd
- mediumCVE-2026-48953: Lack of escaping leads to an XSS vulnerability in the generic image output layout.nvd
- mediumCVE-2026-48952: Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.nvd
- mediumCVE-2026-48951: Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.nvd
- mediumCVE-2026-48950: Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.nvd
- mediumCVE-2026-48949: Lack of validation leads to an XSS vulnerability in the MFA management views.nvd
- highCVE-2026-48948: An improper access check allows user to download vcard exports of com_contact contacts that ar…nvd
Recent advisories for Joomla
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…nvd · 2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…nvd · 2026-07-11
- highCVE-2026-56292: A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting t…nvd · 2026-07-09
- criticalexploitedCVE-2026-56291: The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload t…nvd · 2026-07-09
- medium[UPDATE] [medium] Joomla: Multiple vulnerabilitiescert-bund · 2026-07-09
- medium[UPDATE] [medium] Joomla: Multiple vulnerabilitiescert-bund · 2026-07-09
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10