Joomla vulnerabilities - every known CVE across core and extensions
Joomla's component-and-module architecture means most disclosed CVEs originate in third-party extensions rather than core. Tracked, scored, and classified as they're published.
Joomla security
A well-established CMS with a large extension ecosystem
Joomla has been around since 2005 and is widely used in government, education, and enterprise publishing. The Joomla Security Strike Team (JSST) has maintained a formal vulnerability disclosure process for many years. They publish security releases with SA-numbered advisories and coordinate with reporters before going public, so administrators get a chance to patch first.
Most Joomla CVEs come from third-party extensions, not Joomla core. Common vulnerability types include SQL injection in custom database queries, cross-site scripting in input fields and templates, path traversal in file management components, PHP object injection through unsafe use of unserialize(), and access control failures in AJAX endpoints that do not check user permissions before running privileged actions.
Joomla core updates can be applied in one click from the admin panel. Extension updates require checking each vendor's release channel separately. The Joomla Extensions Directory links to vendor sites but does not host extension files directly.
CVSS severity guide
Reading the severity scores
Each Joomla CVE has a CVSS 3.x score from 0 to 10. The score reflects how the vulnerability can be reached, how complex the exploit is, what access an attacker needs beforehand, and the impact on confidentiality, integrity, and availability if the attack succeeds.
Search by extension name, vendor, or keyword to find CVEs for specific Joomla components. Click any CVE ID to see the full record with affected version ranges. If your installed version is in the affected range and no patch is listed, contact the extension vendor or temporarily disable the extension.
| CVE ID | Severity | CVSS | Title | Published |
|---|---|---|---|---|
| CVE-2026-58148 | high | 8.7/10 | Jul 17, 2026 today | |
| CVE-2026-60024 | — | — | Jul 17, 2026 today | |
| CVE-2026-58149 | — | — | Jul 17, 2026 today | |
| CVE-2026-60025 | — | — | Jul 17, 2026 today | |
| CVE-2026-58078 | high | 8.7/10 | Jul 16, 2026 yesterday | |
| CVE-2026-58077 | high | 8.7/10 | Jul 15, 2026 2d ago | |
| CVE-2026-57833 | high | 8.6/10 | Jul 15, 2026 2d ago | |
| CVE-2026-57830 | high | 8.8/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57829 | high | 8.7/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57827 | critical | 10.0/10 | Jul 11, 2026 6d ago | |
| CVE-2026-57828 | critical | 9.0/10 | Jul 11, 2026 6d ago | |
| CVE-2026-56292 | critical | 9.2/10 | Jul 9, 2026 8d ago | |
| CVE-2026-56291 | critical | 10.0/10 | Jul 9, 2026 8d ago | |
| CVE-2026-48952 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48947 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48958 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48950 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48955 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48956 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48957 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48951 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48953 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48948 | medium | 6.4/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48949 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-48954 | medium | 5.9/10 | Jul 7, 2026 9d ago | |
| CVE-2026-49049 | — | — | Jun 29, 2026 18d ago | |
| CVE-2026-56290 | critical | 10.0/10 | Jun 29, 2026 18d ago | |
| CVE-2026-49048 | high | 8.7/10 | Jun 28, 2026 18d ago | |
| CVE-2026-48945 | — | — | Jun 25, 2026 22d ago | |
| CVE-2026-48940 | — | — | Jun 25, 2026 22d ago |