Feed live

Joomla vulnerabilities - every known CVE across core and extensions

Joomla's component-and-module architecture means most disclosed CVEs originate in third-party extensions rather than core. Tracked, scored, and classified as they're published.

Total CVEs tracked
339,613
All time
Critical · Active
10,844
CVSS ≥ 9.0
New · 14 days
2,602
Newly disclosed
Feed last synced
2 hrs ago
Data freshness

Joomla security

A well-established CMS with a large extension ecosystem

Joomla has been around since 2005 and is widely used in government, education, and enterprise publishing. The Joomla Security Strike Team (JSST) has maintained a formal vulnerability disclosure process for many years. They publish security releases with SA-numbered advisories and coordinate with reporters before going public, so administrators get a chance to patch first.

Most Joomla CVEs come from third-party extensions, not Joomla core. Common vulnerability types include SQL injection in custom database queries, cross-site scripting in input fields and templates, path traversal in file management components, PHP object injection through unsafe use of unserialize(), and access control failures in AJAX endpoints that do not check user permissions before running privileged actions.

Joomla core updates can be applied in one click from the admin panel. Extension updates require checking each vendor's release channel separately. The Joomla Extensions Directory links to vendor sites but does not host extension files directly.

CVSS severity guide

Reading the severity scores

Each Joomla CVE has a CVSS 3.x score from 0 to 10. The score reflects how the vulnerability can be reached, how complex the exploit is, what access an attacker needs beforehand, and the impact on confidentiality, integrity, and availability if the attack succeeds.

Critical 9.0–10.0 Remote, no auth, max impact
High 7.0–8.9 Serious, remotely exploitable
Medium 4.0–6.9 Often requires auth or conditions
Low 0.1–3.9 Limited exploitability or impact

Search by extension name, vendor, or keyword to find CVEs for specific Joomla components. Click any CVE ID to see the full record with affected version ranges. If your installed version is in the affected range and no patch is listed, contact the extension vendor or temporarily disable the extension.

Showing 1–30 CVEs
Sorted by Published · Newest first
CVE ID Severity CVSS Title Published
CVE-2026-58148 high 8.7/10 Jul 17, 2026 today
CVE-2026-60024 Jul 17, 2026 today
CVE-2026-58149 Jul 17, 2026 today
CVE-2026-60025 Jul 17, 2026 today
CVE-2026-58078 high 8.7/10 Jul 16, 2026 yesterday
CVE-2026-58077 high 8.7/10 Jul 15, 2026 2d ago
CVE-2026-57833 high 8.6/10 Jul 15, 2026 2d ago
CVE-2026-57830 high 8.8/10 Jul 13, 2026 4d ago
CVE-2026-57829 high 8.7/10 Jul 13, 2026 4d ago
CVE-2026-57827 critical 10.0/10 Jul 11, 2026 6d ago
CVE-2026-57828 critical 9.0/10 Jul 11, 2026 6d ago
CVE-2026-56292 critical 9.2/10 Jul 9, 2026 8d ago
CVE-2026-56291 critical 10.0/10 Jul 9, 2026 8d ago
CVE-2026-48952 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-48947 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48958 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48950 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-48955 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48956 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48957 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48951 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-48953 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-48948 medium 6.4/10 Jul 7, 2026 9d ago
CVE-2026-48949 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-48954 medium 5.9/10 Jul 7, 2026 9d ago
CVE-2026-49049 Jun 29, 2026 18d ago
CVE-2026-56290 critical 10.0/10 Jun 29, 2026 18d ago
CVE-2026-49048 high 8.7/10 Jun 28, 2026 18d ago
CVE-2026-48945 Jun 25, 2026 22d ago
CVE-2026-48940 Jun 25, 2026 22d ago
Page 1
Prev 1 2