joomla joomla-cms Vulnerabilities: CVEs, CISA KEV & Security Advisories

This page aggregates every publicly disclosed vulnerability (CVE) affecting joomla joomla-cms, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Affected versions and CVEs

Browse every joomla joomla-cms version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

3.2.0106 CVEs
3.2.1103 CVEs
3.2.2103 CVEs
3.2.3103 CVEs
3.2.4103 CVEs
3.3.0103 CVEs
3.4.0-beta1103 CVEs
3.4.0-beta2103 CVEs
3.4.0-beta3103 CVEs
3.4.0-rc103 CVEs
3.6.0103 CVEs
3.6.1103 CVEs
3.6.1-rc1103 CVEs
3.6.1-rc2103 CVEs
3.6.2103 CVEs
3.6.3103 CVEs
3.6.3-rc1103 CVEs
3.6.3-rc2103 CVEs
3.6.3-rc3103 CVEs
3102 CVEs
3.3.0.beta102 CVEs
3.3.0.beta2102 CVEs
3.3.0.rc102 CVEs
3.3.1102 CVEs
3.3.2102 CVEs
3.3.3102 CVEs
3.3.4102 CVEs
3.3.5102 CVEs
3.3.6102 CVEs
3.4.0102 CVEs
3.8.0102 CVEs
3.8.1102 CVEs
3.8.1-rc102 CVEs
3.4.1101 CVEs
3.4.1-rc101 CVEs
3.4.1-rc2101 CVEs
3.4.2101 CVEs
3.4.2-rc101 CVEs
3.4.3101 CVEs
3.4.4101 CVEs
3.4.4-rc101 CVEs
3.4.4-rc2101 CVEs
3.5.0101 CVEs
3.5.1101 CVEs
3.5.1-rc101 CVEs
3.5.1-rc2101 CVEs
3.6.0-alpha101 CVEs
3.6.0-beta1101 CVEs
3.6.0-beta2101 CVEs
3.6.0-rc101 CVEs
3.6.0-rc2101 CVEs
3.6.4101 CVEs
3.7.0101 CVEs
3.4.5100 CVEs
3.5.0-beta100 CVEs
3.5.0-beta2100 CVEs
3.5.0-beta3100 CVEs
3.5.0-beta4100 CVEs
3.5.0-beta5100 CVEs
3.5.0-rc100 CVEs
3.5.0-rc2100 CVEs
3.5.0-rc4100 CVEs
3.7.1100 CVEs
3.7.2100 CVEs
3.7.3100 CVEs
3.7.3-beta1100 CVEs
3.7.3-rc1100 CVEs
3.7.3-rc2100 CVEs
3.7.4100 CVEs
3.7.4-beta1100 CVEs
3.7.4-rc1100 CVEs
3.8.0-beta1100 CVEs
3.8.0-beta2100 CVEs
3.8.0-beta3100 CVEs
3.8.0-beta4100 CVEs
3.8.0-rc1100 CVEs
3.8.2100 CVEs
3.8.2-rc100 CVEs
3.8.3100 CVEs
3.8.3-rc100 CVEs
3.8.4-rc100 CVEs
3.8.4-rc2100 CVEs
3.4.699 CVEs
3.4.799 CVEs
3.4.899 CVEs
3.4.8-rc99 CVEs
3.5.0-rc399 CVEs
3.7.1-rc199 CVEs
3.7.1-rc299 CVEs
3.6.598 CVEs
3.0.197 CVEs
3.0.397 CVEs
3.1.0_beta197 CVEs
3.1.0_beta297 CVEs
3.1.0_beta397 CVEs
3.1.0_beta497 CVEs
3.1.0_beta597 CVEs
3.1.197 CVEs
3.1.597 CVEs
3.2.0.alpha97 CVEs
3.2.0.beta97 CVEs
3.2.0.rc97 CVEs
3.7.0-alpha197 CVEs
3.7.0-beta197 CVEs
3.7.0-beta297 CVEs
3.7.0-beta397 CVEs
3.7.0-beta497 CVEs
3.7.0-rc197 CVEs
3.7.0-rc297 CVEs
3.7.0-rc397 CVEs
3.7.0-rc497 CVEs
3.0.096 CVEs
3.8.496 CVEs
3.8.596 CVEs
3.8.5-rc96 CVEs
3.8.695 CVEs
3.8.6-rc195 CVEs
3.8.795 CVEs
3.8.7-rc95 CVEs
3.8.8-rc95 CVEs
3.8.887 CVEs
3.9.087 CVEs
3.9.187 CVEs
3.9.1-rc87 CVEs
3.9.2-rc87 CVEs
3.8.9-rc86 CVEs
issues-241-25786 CVEs
3.8.1085 CVEs
3.8.1185 CVEs
3.8.11-rc85 CVEs
3.8.12-rc85 CVEs
3.8.985 CVEs
3.9.283 CVEs
3.8.1282 CVEs
3.8.1379 CVEs
3.9.0-alpha79 CVEs
3.9.0-beta79 CVEs
3.9.0-beta279 CVEs
3.9.0-beta379 CVEs
3.9.0-beta479 CVEs
3.9.0-rc79 CVEs
3.9.0-rc279 CVEs
3.9.3-rc78 CVEs
3.9.377 CVEs
3.9.4-rc77 CVEs
3.9.473 CVEs
3.9.5-rc72 CVEs
3.9.571 CVEs
3.9.6-rc71 CVEs
3.9.6-rc271 CVEs
3.9.670 CVEs
2.5.469 CVEs
2.5.569 CVEs
2.5.669 CVEs
3.0.0_alpha-169 CVEs
3.0.0_alpha-269 CVEs
3.0.0_beta169 CVEs
2.5.168 CVEs
3.9.7-rc68 CVEs
2.5.067 CVEs
2.5.267 CVEs
2.5.367 CVEs
3.9.767 CVEs
3.9.1066 CVEs
3.9.11-rc66 CVEs
3.9.866 CVEs
3.9.966 CVEs
3.9.9-rc66 CVEs
3.9.1165 CVEs
3.9.12-rc65 CVEs
3.9.1264 CVEs
3.9.13-rc63 CVEs
3.9.13-rc263 CVEs
3.9.1362 CVEs
3.9.14-rc62 CVEs
3.9.1460 CVEs
3.9.15-rc59 CVEs
3.9.1557 CVEs
3.9.16-rc57 CVEs
3.9.1651 CVEs
3.9.17-rc51 CVEs
3.9.1748 CVEs
3.9.1848 CVEs
3.9.19-rc48 CVEs
1.7.347 CVEs
3.9.1944 CVEs
2.5.0_beta139 CVEs
2.5.0_beta239 CVEs
2.5.0_RC138 CVEs
3.10.038 CVEs
3.10.138 CVEs
3.10.238 CVEs
3.10.2-rc138 CVEs
3.10.338 CVEs
3.10.3-rc138 CVEs
3.10.438 CVEs
3.10.4-rc138 CVEs
3.10.538 CVEs
3.10.5-rc138 CVEs
3.10.6-rc138 CVEs
3.9.2038 CVEs
3.9.20-rc38 CVEs
3.9.21-rc38 CVEs
3.9.2136 CVEs
3.9.2236 CVEs
3.9.22-rc36 CVEs
3.10.635 CVEs
4.0.033 CVEs
4.0.132 CVEs
4.0.232 CVEs
4.0.332 CVEs
4.0.3-rc32 CVEs
4.0.432 CVEs
4.0.4-rc132 CVEs
4.0.532 CVEs
4.0.5-rc132 CVEs
4.0.5-rc232 CVEs
4.0.5-rc332 CVEs
4.0.5-rc432 CVEs
4.0.632 CVEs
4.0.6-rc132 CVEs
4.0.6-rc232 CVEs
4.0.6-rc332 CVEs
4.1.032 CVEs
4.1.0-alpha132 CVEs
4.1.0-alpha232 CVEs
4.1.0-alpha332 CVEs
4.1.0-beta132 CVEs
4.1.0-beta232 CVEs
4.1.0-beta332 CVEs
4.1.0-rc132 CVEs
4.1.0-rc232 CVEs
4.1.0-rc332 CVEs
4.1.0-rc432 CVEs
4.2.031 CVEs
3.9.2330 CVEs
3.9.23-rc30 CVEs
3.9.23-rc230 CVEs
4.2.130 CVEs
4.2.1-rc130 CVEs
4.2.1-rc230 CVEs
4.2.1-rc330 CVEs
4.2.230 CVEs
4.2.330 CVEs
4.2.3-rc130 CVEs
3.10.1029 CVEs
3.10.10-rc129 CVEs
3.10.11-rc129 CVEs
3.10.729 CVEs
3.10.7-rc129 CVEs
3.10.829 CVEs
3.10.929 CVEs
3.10.9-rc129 CVEs
4.1.129 CVEs
4.1.1-rc129 CVEs
4.1.1-rc229 CVEs
4.1.229 CVEs
4.1.329 CVEs
4.1.3-rc129 CVEs
4.1.429 CVEs
4.1.4-rc129 CVEs
4.1.529 CVEs
4.1.5-rc129 CVEs
4.1.5-rc229 CVEs
4.2.0-alpha129 CVEs
4.2.0-alpha229 CVEs
4.2.0-alpha329 CVEs
4.2.0-beta129 CVEs
4.2.0-beta229 CVEs
4.2.0-beta329 CVEs
4.2.0-rc129 CVEs
cypress29 CVEs
cypress-io29 CVEs
psr12anchor29 CVEs
psr12final29 CVEs
3.9.2428 CVEs
3.9.24-rc28 CVEs
3.9.24-rc228 CVEs
3.9.25-rc28 CVEs
4.2.428 CVEs
4.2.5-rc127 CVEs
4.2.526 CVEs
4.2.626 CVEs
4.2.6-rc126 CVEs
4.2.725 CVEs
4.2.7-rc125 CVEs
4.2.824 CVEs
4.2.924 CVEs
4.2.9-rc124 CVEs
4.3.024 CVEs
4.3.0-alpha124 CVEs
4.3.0-alpha224 CVEs
4.3.0-alpha324 CVEs
4.3.0-beta124 CVEs
4.3.0-beta224 CVEs
4.3.0-beta324 CVEs
4.3.0-beta424 CVEs
4.3.0-rc124 CVEs
4.3.0-rc224 CVEs
4.3.0-rc324 CVEs
4.3.124 CVEs
4.3.1-rc124 CVEs
4.3.2-rc124 CVEs
3.10.1122 CVEs
3.10.1222 CVEs
3.10.12-rc122 CVEs
4.3.222 CVEs
4.3.322 CVEs
4.3.3-rc122 CVEs
4.3.422 CVEs
4.3.4-rc122 CVEs
4.4.022 CVEs
4.4.0-alpha122 CVEs
4.4.0-alpha222 CVEs
4.4.0-alpha322 CVEs
4.4.0-alpha422 CVEs
4.4.0-beta122 CVEs
4.4.0-beta222 CVEs
4.4.0-beta322 CVEs
4.4.0-rc122 CVEs
4.4.1-rc122 CVEs
4.4.1-rc222 CVEs
4.4.121 CVEs
4.4.221 CVEs
4.4.2-rc121 CVEs
3.9.2519 CVEs
3.9.2617 CVEs
3.9.26-rc17 CVEs
4.4.316 CVEs
4.4.416 CVEs
4.4.4-rc116 CVEs
4.4.4-rc216 CVEs
4.4.516 CVEs
4.4.6-rc115 CVEs
3.9.2714 CVEs
3.9.27-rc14 CVEs
4.4.610 CVEs
4.4.7-rc110 CVEs
3.10.0-alpha19 CVEs
3.10.0-alpha29 CVEs
3.10.0-alpha39 CVEs
3.10.0-alpha49 CVEs
3.10.0-alpha59 CVEs
3.10.0-alpha69 CVEs
3.10.0-alpha79 CVEs
3.10.0-alpha89 CVEs
3.10.0-alpha99 CVEs
3.10.0-rc19 CVEs
3.10.0-rc29 CVEs
3.9.289 CVEs
3.9.28-rc9 CVEs
4.4.76 CVEs
4.4.86 CVEs
4.4.8-rc16 CVEs
4.4.8-rc26 CVEs
4.4.8-rc36 CVEs
4.4.96 CVEs
4.4.9-rc16 CVEs
4.0.0-alpha13 CVEs
4.0.0-alpha103 CVEs
4.0.0-alpha113 CVEs
4.0.0-alpha123 CVEs
4.0.0-alpha23 CVEs
4.0.0-alpha33 CVEs
4.0.0-alpha43 CVEs
4.0.0-alpha53 CVEs
4.0.0-alpha63 CVEs
4.0.0-alpha73 CVEs
4.0.0-alpha83 CVEs
4.0.0-alpha93 CVEs
4.0.0-beta3 CVEs
4.0.0-beta23 CVEs
4.0.0-beta33 CVEs
4.0.0-beta43 CVEs
4.0.0-beta53 CVEs
4.0.0-beta63 CVEs
4.0.0-beta73 CVEs
4.0.0-rc13 CVEs
4.0.0-rc23 CVEs
4.0.0-rc33 CVEs
4.0.0-rc43 CVEs
4.0.0-rc53 CVEs
4.0.0-rc63 CVEs
4.4.103 CVEs
4.4.113 CVEs
4.4.11-rc13 CVEs
4.4.123 CVEs
4.4.132 CVEs
5.0.02 CVEs
5.0.0-alpha12 CVEs
5.0.0-alpha22 CVEs
5.0.0-alpha32 CVEs
5.0.0-alpha42 CVEs
5.0.0-beta12 CVEs
5.0.0-beta22 CVEs
5.0.0-beta32 CVEs
5.0.0-rc2 CVEs
5.0.0-rc22 CVEs
5.0.12 CVEs
5.0.1-rc12 CVEs
5.0.1-rc22 CVEs
5.0.22 CVEs
5.0.2-rc12 CVEs
5.0.2-rc22 CVEs
5.0.32 CVEs
5.0.3-rc12 CVEs
5.1.02 CVEs
5.1.0-alpha12 CVEs
5.1.0-alpha22 CVEs
5.1.0-alpha32 CVEs
5.1.0-alpha42 CVEs
5.1.0-beta12 CVEs
5.1.0-beta22 CVEs
5.1.0-rc12 CVEs
5.1.0-rc22 CVEs
5.1.12 CVEs
5.1.1-rc12 CVEs
5.1.22 CVEs
5.1.2-rc12 CVEs
5.1.2-rc22 CVEs
5.1.32 CVEs
5.1.3-rc12 CVEs
5.1.42 CVEs
5.1.4-rc12 CVEs
5.1.4-rc22 CVEs
5.1.4-rc32 CVEs
5.2.02 CVEs
5.2.0-alpha12 CVEs
5.2.0-alpha32 CVEs
5.2.0-beta12 CVEs
5.2.0-beta22 CVEs
5.2.0-beta32 CVEs
5.2.0-rc12 CVEs
5.2.0-rc22 CVEs
5.2.0-rc32 CVEs
5.2.0-rc42 CVEs
5.2.12 CVEs
5.2.22 CVEs
5.2.2-rc12 CVEs
5.2.32 CVEs
5.2.3-rc12 CVEs
5.2.42 CVEs
5.2.4-rc12 CVEs
5.2.52 CVEs
5.3.02 CVEs
5.3.0-alpha12 CVEs
5.3.0-alpha22 CVEs
5.3.0-alpha32 CVEs
5.3.0-beta12 CVEs
5.3.0-beta22 CVEs
5.3.0-beta32 CVEs
5.3.0-rc12 CVEs
5.3.0-rc22 CVEs
5.3.12 CVEs
5.3.1-rc12 CVEs
5.3.22 CVEs
5.3.2-rc12 CVEs
5.3.32 CVEs
5.3.3-rc12 CVEs
5.3.3-rc22 CVEs
5.3.42 CVEs
5.3.4-rc12 CVEs
5.4.02 CVEs
5.4.0-alpha12 CVEs
5.4.0-alpha22 CVEs
5.4.0-alpha32 CVEs
5.4.0-beta12 CVEs
5.4.0-beta22 CVEs
5.4.0-beta32 CVEs
5.4.0-rc12 CVEs
5.4.12 CVEs
5.4.1-rc12 CVEs
5.4.1-rc22 CVEs
5.4.2-rc12 CVEs

Fixed in

28aef911901979246d398f0580c436c87dfec59d9 CVEs
aadf6979f8b99308c3621ea3af2ca98e678a477d9 CVEs
cf2534078e8b47162f5ba4b197ef99230ebe9d816 CVEs
27ca70a097a3d64f958bfee77a21f33002c33bfc5 CVEs
458d846681bd92a64e0e7a2b3a39159c8e751c0d5 CVEs
55f2082f32860eef1810da4a92214a557ad789d65 CVEs
a5e3be9a4ed11336ecb1047fcd4af9cd37b07eb25 CVEs
ae87846c82b0e4a9274598fa8d788b3b39a2f5aa5 CVEs
0ec372fdc6ad5ad63082636a0942b3ea39acc7b74 CVEs
1dceaf228a25100963ee044e7c886244742ca0af4 CVEs
3ed1b9f2f29501e3a29aeb113da9b0974611eb04

Find a version

168 CVEs

Sort

Joomla! Core - [20260101] - Inadequate content filtering for data URLs
CVE-2025-63082
Patch
CWE-79
Medium · CVSS 5.9
EPSS 0.0% (0th pct)2026-01-06
Joomla! Core - [20260102] - XSS vector in the pagebreak plugin
CVE-2025-63083
Patch
CWE-79
Medium · CVSS 5.9
EPSS 0.0% (0th pct)2026-01-06
[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package
CVE-2025-25226
Patch
CWE-89
Critical · CVSS 9.8
EPSS 0.0% (2th pct)2025-04-08
[20250402] - Joomla Core - MFA Authentication Bypass
CVE-2025-25227
Patch
CWE-287
High · CVSS 7.5
EPSS 0.0% (0th pct)2025-04-08
High vulnerability · 2025-01-07
CVE-2024-40749
Patch
CWE-284
High · CVSS 7.5
EPSS 0.0% (1th pct)2025-01-07
Medium vulnerability · 2025-01-07
CVE-2024-40747
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.1% (21th pct)2025-01-07
High vulnerability · 2025-01-07
CVE-2024-40748
Patch
CWE-79
High · CVSS 7.5
EPSS 0.0% (5th pct)2025-01-07
Critical vulnerability · 2024-08-20
CVE-2024-27185
Patch
CWE-444
Critical · CVSS 9.1
EPSS 0.0% (1th pct)2024-08-20
Medium vulnerability · 2024-08-20
CVE-2024-27186
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.1% (26th pct)2024-08-20
[20240801] - Core - Inadequate validation of internal URLs
CVE-2024-27184
Patch
CWE-601
Medium · CVSS 6.1
EPSS 0.0% (6th pct)2024-08-20
Medium vulnerability · 2024-08-20
CVE-2024-40743
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.1% (23th pct)2024-08-20
[20240804] - Core - Improper ACL for backend profile view
CVE-2024-27187
Patch
CWE-284
High · CVSS 7.5
EPSS 0.0% (0th pct)2024-08-20
Medium vulnerability · 2024-07-09
CVE-2024-21729
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.0% (8th pct)2024-07-09
[20240702] - Core - Self-XSS in fancyselect list field layout
CVE-2024-21730
Patch
CWE-79
Medium · CVSS 5.4
EPSS 0.0% (12th pct)2024-07-09
Medium vulnerability · 2024-07-09
CVE-2024-26279
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.0% (8th pct)2024-07-09
[20240705] - Core - XSS in com_fields default field value
CVE-2024-26278
Patch
CWE-79
Medium · CVSS 4.6
EPSS 0.0% (2th pct)2024-07-09
[20240703] - Core - XSS in StringHelper::truncate method
CVE-2024-21731
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.0% (12th pct)2024-07-09
Medium vulnerability · 2024-02-20
CVE-2024-21723
Patch
CWE-601
Medium · CVSS 4.3
EPSS 0.0% (0th pct)2024-02-20
Medium vulnerability · 2024-02-20
CVE-2024-21725
Patch
CWE-79
Medium · CVSS 6.1
EPSS 1.2% (80th pct)2024-02-20
Medium vulnerability · 2024-02-20
CVE-2024-21724
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.0% (11th pct)2024-02-20
[20240201] - Core - Insufficient session expiration in MFA management views
CVE-2024-21722
Patch
CWE-613
Medium · CVSS 6.3
EPSS 0.0% (0th pct)2024-02-20
[20240205] - Core - Inadequate content filtering within the filter code
CVE-2024-21726
Patch
CWE-79
Medium · CVSS 6.5
EPSS 0.3% (54th pct)2024-02-20
Vulnerability · 2023-11-29
CVE-2023-40626
Patch
Unscored
EPSS 0.0% (9th pct)2023-11-29
Medium vulnerability · 2023-05-30
CVE-2023-23754
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.0% (9th pct)2023-05-30
High vulnerability · 2023-05-30
CVE-2023-23755
Patch
High · CVSS 7.5
EPSS 0.0% (0th pct)2023-05-30
[20230201] - Core - Improper access check in webservice endpoints
CVE-2023-23752
CISA KEV
Public exploit
Patch
CWE-284
Added to CISA KEV 2024-01-08
Medium · CVSS 6.9
EPSS 94.5% (100th pct)2023-02-16
Medium vulnerability · 2023-02-01
CVE-2023-23751CWE-863
Medium · CVSS 4.3
EPSS 0.0% (0th pct)2023-02-01
[20230101] - Core - CSRF within post-installation messages
CVE-2023-23750CWE-352
Medium · CVSS 6.3
EPSS 0.0% (1th pct)2023-02-01
Vulnerability · 2022-11-08
CVE-2022-27914
Patch
Unscored
EPSS 0.1% (35th pct)2022-11-08
Vulnerability · 2022-10-25
CVE-2022-27913
Unscored
EPSS 0.1% (35th pct)2022-10-25

Showing 30 of 168

joomla joomla-cms Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other joomla products

Frequently asked questions

How many CVEs does joomla joomla-cms have?

How many joomla joomla-cms CVEs are in CISA KEV?

Are there public exploits for joomla joomla-cms vulnerabilities?

Which versions of joomla joomla-cms are affected?

What are the most common weakness types in joomla joomla-cms CVEs?

How many critical joomla joomla-cms vulnerabilities are there?

What is the average severity of joomla joomla-cms CVEs?

References

Track joomla joomla-cms vulnerabilities