CVE-2026-25900
Cross-Site Scripting in Joomla Feed Modules
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | cms | From 3.0.0 (inc) to 5.4.5 (inc) |
| joomla | cms | From 6.0.0 (inc) to 6.1.0 (inc) |
| joomla | cms | 5.4.6 |
| joomla | cms | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25900 is a Cross-Site Scripting (XSS) vulnerability in Joomla! CMS affecting versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0. It occurs due to insufficient output escaping in the feed modules, which allows attackers to inject and execute malicious scripts in the browsers of users who view the affected feeds.
How can this vulnerability impact me? :
This vulnerability can lead to malicious scripts running in the context of a user's browser when they access the vulnerable feed modules. This can result in theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the user without their consent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross-Site Scripting (XSS) issue caused by lack of output escaping in Joomla! CMS feed modules. Detection typically involves verifying the Joomla! CMS version and testing for XSS payload execution in feed module outputs.
To detect if your system is vulnerable, first check the Joomla! CMS version installed on your system. Versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0 are affected.
- Use the following command to check the Joomla! version (run in the Joomla root directory): php cli/joomla.php version
- Manually test the feed modules by injecting typical XSS payloads (e.g., <script>alert(1)</script>) into feed inputs or parameters and observe if the script executes in the browser.
Network detection of this vulnerability is not straightforward since it is a client-side XSS issue. Monitoring HTTP responses from feed modules for unescaped user input or suspicious script tags may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Joomla! CMS to a fixed version where the vulnerability is patched.
- Upgrade Joomla! CMS to version 5.4.6 or later, or 6.1.1 or later, as these versions contain the fix for the XSS vulnerability in the feed modules.
Until the upgrade can be performed, consider disabling or restricting access to the feed modules to prevent exploitation.
Additionally, review and apply any recommended security best practices from the Joomla! Security Centre.