CVE-2026-21631
Cross-Site Scripting in Joomla Multilingual Associations Component
Publication date: 2026-04-01
Last updated on: 2026-04-09
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | joomla! | From 3.0.0 (inc) to 5.4.4 (exc) |
| joomla | joomla! | From 6.0.0 (inc) to 6.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21631 is a cross-site scripting (XSS) vulnerability found in the Joomla! CMS, specifically in the multilingual associations component's comparison view (com_associations).
The vulnerability occurs because of a lack of proper output escaping, which allows attackers to inject malicious scripts into the system.
This affects Joomla! CMS versions 4.0.0 through 5.4.3 and 6.0.0 through 6.0.3.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject malicious scripts via the multilingual associations component, potentially leading to cross-site scripting attacks.
Such attacks can result in unauthorized actions performed on behalf of users, theft of sensitive information, session hijacking, or defacement of the website.
However, the probability of exploitation is considered low and the severity is rated as moderate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a cross-site scripting (XSS) issue in the multilingual associations component's comparison view of Joomla! CMS. Detection typically involves checking the Joomla! CMS version in use and testing the affected component for improper output escaping.
Since the vulnerability arises from lack of output escaping, one way to detect it is to attempt injecting benign script payloads into the multilingual associations comparison view and observe if they are executed or reflected unescaped.
There are no specific commands provided in the resources to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Joomla! CMS to a fixed version that addresses this vulnerability.
- Upgrade to Joomla! CMS version 5.4.4 or later if you are using versions 4.0.0 through 5.4.3.
- Upgrade to Joomla! CMS version 6.0.4 or later if you are using versions 6.0.0 through 6.0.3.
Applying these updates will fix the lack of output escaping in the multilingual associations component and mitigate the XSS vulnerability.