Security Announcements
-
[20260101] - Core - Inadequate content filtering for data URLs
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.1, 6.0.0-6.0.1
- Exploit type: XSS
- Reported Date: 2025-11-14
- Fixed Date: 2026-01-06
- CVE Number: CVE-2025-63082
Description
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.Affected Installs
Joomla! CMS versions 4.0.0-5.4.1, 6.0.0-6.0.1
Solution
Upgrade to version 5.4.2 or 6.0.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Sho Sugiyama of SUZUKI MOTOR CORPORATION -
[20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 3.9.0-5.4.1, 6.0.0-6.0.1
- Exploit type: XSS
- Reported Date: 2025-09-29
- Fixed Date: 2026-01-06
- CVE Number: CVE-2025-63083
Description
Lack of output escaping leads to a XSS vector in the pagebreak and pagenavigation plugins.Affected Installs
Joomla! CMS versions 3.9.0-5.4.1, 6.0.0-6.0.1
Solution
Upgrade to version 5.4.2 or 6.0.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: peterhulst -
[20250901] - Core - Inadequate content filtering within the checkAttribute filter code
- Project: Joomla! / Joomla! Framework
- SubProject: CMS / filter
- Impact: Moderate
- Severity: Moderate
- Probability: Moderate
- Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: XSS
- Reported Date: 2025-08-03
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54476
Description
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.Affected Installs
Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Flydragon, Poi, Cwy, Xtrimi -
[20250902] - Core - User-Enumeration in passkey authentication method
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Probability: Low
- Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: User Enumeration
- Reported Date: 2025-09-04
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54477
Description
Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.Affected Installs
Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Marco Schubert -
[20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package
- Project: Joomla!
- SubProject: Framework
- Impact: High
- Severity: Low
- Probability: Low
- Versions:1.0.0-2.1.1, 3.0.0-3.3.1
- Exploit type: SQL Injection
- Reported Date: 2025-03-17
- Fixed Date: 2025-04-02
- CVE Number: CVE-2025-25226
Description
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package.Affected Installs
Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1
Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Solution
Upgrade to version 2.2.0 or 3.4.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Nicholas K. Dionysopoulos, akeeba.com