CVE-2026-35220 MEDIUM

CVE-2026-35220: Joomla! Core - [20260505] - CSRF in user activation endpoint

Vendor Joomla! Project
Product Joomla! CMS
Weakness CWE-352 · CSRF
Published May 26, 2026
Last update May 27, 2026

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Explanation of Vulnerability in Simple Terms

02Summary

Joomla! CMS versions 6.0.0 through 6.1.0 contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of a high-privileged user. The vulnerability requires user interaction—the victim must visit a malicious page while logged in. An attacker can modify site settings or content if a high-privilege user is tricked into visiting their crafted link.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions (modify settings or content) on behalf of a high-privilege user who visits a malicious page.

Potential impact on your site

04Site Impact

A high-privilege user's session can be hijacked to make unwanted changes to your site without their knowledge.

Conditions required to exploit

05Prerequisites

High-privilege user account must exist; victim must visit attacker-controlled page while logged in to Joomla.

Key dates

06Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

08Related CVE