CVE-2026-25900
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in Joomla Feed Modules

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: Joomla! Project

Description
Lack of output escaping leads to a XSS vector in the feed modules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25900
EUVD
EUVD-2026-31876
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joomla joomla! From 3.0.0 (inc) to 5.4.6 (exc)
joomla joomla! From 6.0.0 (inc) to 6.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a Cross-Site Scripting (XSS) issue in Joomla! CMS feed modules caused by lack of output escaping, which allows execution of malicious scripts in users' browsers.

Such XSS vulnerabilities can lead to unauthorized access to user data or session hijacking, potentially compromising personal data.

This can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

Therefore, failure to patch this vulnerability could result in non-compliance with these standards due to increased risk of data breaches.

Executive Summary

CVE-2026-25900 is a Cross-Site Scripting (XSS) vulnerability in Joomla! CMS affecting versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0. It occurs due to insufficient output escaping in the feed modules, which allows attackers to inject and execute malicious scripts in the browsers of users who view the affected feeds.

Impact Analysis

This vulnerability can lead to malicious scripts running in the context of a user's browser when they access the vulnerable feed modules. This can result in theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the user without their consent.

Detection Guidance

This vulnerability is a Cross-Site Scripting (XSS) issue caused by lack of output escaping in Joomla! CMS feed modules. Detection typically involves verifying the Joomla! CMS version and testing for XSS payload execution in feed module outputs.

To detect if your system is vulnerable, first check the Joomla! CMS version installed on your system. Versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0 are affected.

  • Use the following command to check the Joomla! version (run in the Joomla root directory): php cli/joomla.php version
  • Manually test the feed modules by injecting typical XSS payloads (e.g., <script>alert(1)</script>) into feed inputs or parameters and observe if the script executes in the browser.

Network detection of this vulnerability is not straightforward since it is a client-side XSS issue. Monitoring HTTP responses from feed modules for unescaped user input or suspicious script tags may help identify exploitation attempts.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Joomla! CMS to a fixed version where the vulnerability is patched.

  • Upgrade Joomla! CMS to version 5.4.6 or later, or 6.1.1 or later, as these versions contain the fix for the XSS vulnerability in the feed modules.

Until the upgrade can be performed, consider disabling or restricting access to the feed modules to prevent exploitation.

Additionally, review and apply any recommended security best practices from the Joomla! Security Centre.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25900. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart