joomla security advisories
13 threat alerts tracking vulnerabilities and security advisories that affect joomla products.
Vulnios monitors joomla CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent joomla security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-35223 — joomla — joomla\!
An improper access check allows unauthorized access to com_config webservice endpoints.
criticalCVE-2026-35223Critical Vulnerability: CVE-2026-35221 — joomla — joomla\!
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
criticalCVE-2026-35221Critical Vulnerability: CVE-2026-35222 — joomla — joomla\!
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
criticalCVE-2026-35222Critical Vulnerability: CVE-2026-40383 — joomla — joomla\!
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
criticalCVE-2026-40383Critical Vulnerability: CVE-2026-48898 — joomla — joomla\!
An improper access check allows privilege escalation through the com_users batch task.
criticalCVE-2026-48898Critical Vulnerability: CVE-2026-48899 — joomla — joomla\!
An improper access check allows privilege escalation through the com_users batch task.
criticalCVE-2026-48899Critical Vulnerability: CVE-2026-48904 — joomla — joomla\!
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
criticalCVE-2026-48904Critical Vulnerability: CVE-2016-9836 — joomla — joomla\!
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a us
criticalCVE-2016-9836Critical Vulnerability: CVE-2016-8869 — joomla — joomla\!
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of
criticalCVE-2016-8869Critical Vulnerability: CVE-2017-16634 — joomla — joomla\!
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.
criticalCVE-2017-16634Critical Vulnerability: CVE-2017-14596 — joomla — joomla\!
In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.
criticalCVE-2017-14596Critical Vulnerability: CVE-2017-8917 — joomla — joomla\!
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
criticalCVE-2017-8917Critical Vulnerability: CVE-2016-9081 — joomla — joomla\!
Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.
criticalCVE-2016-9081
Track joomla exposure across your environment
Vulnios automatically cross-references your asset inventory against new joomla CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan