CVE-2026-48951 MEDIUM

CVE-2026-48951: Joomla! Core - [20260705] - XSS in various modalreturn layouts

Vendor Joomla! Project
Product Joomla! CMS
Weakness CWE-79 · XSS
Published July 7, 2026
Last update July 8, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Explanation of Vulnerability in Simple Terms

02Summary

A cross-site scripting (XSS) vulnerability in Joomla! CMS versions 4.0.0 through 5.4.6 allows an authenticated administrator to inject malicious scripts that execute in other users' browsers. The vulnerability requires administrator privileges and user interaction (such as visiting a crafted page). An attacker with admin access can deface content or steal session data from site visitors.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in other users' browsers when they visit the site.

Potential impact on your site

04Site Impact

An admin account compromise could allow an attacker to deface your site or steal visitor session tokens and credentials.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to Joomla and the victim must visit a page containing the injected script.

Key dates

06Disclosure timeline

July 7, 2026 CVE published
July 8, 2026 Record updated

Related vulnerabilities

08Related CVE