CVE-2026-48950
Received Received - Intake

XSS in Joomla com_templates File Management

Vulnerability report for CVE-2026-48950, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Joomla! Project

Description

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
joomla joomla_cms From 4.0.0 (inc) to 5.4.5 (inc)
joomla joomla_cms From 6.0.0 (inc) to 6.1.1 (inc)
joomla joomla_cms 5.4.7
joomla joomla_cms 6.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the XSS vulnerability in Joomla! CMS (CVE-2026-48950) affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-48950 is a Cross-Site Scripting (XSS) vulnerability found in the Joomla! CMS. It occurs because the file management view of the com_templates component does not properly escape input, allowing malicious scripts to be injected and executed.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected Joomla! CMS site. This can lead to unauthorized actions, theft of sensitive information, session hijacking, or other malicious activities depending on the privileges of the user interacting with the vulnerable component.

Detection Guidance

This vulnerability is a Cross-Site Scripting (XSS) issue in the file management view of the com_templates component in Joomla! CMS. Detection typically involves checking the Joomla! CMS version to see if it falls within the vulnerable ranges.

You can detect if your system is vulnerable by verifying the installed Joomla! CMS version. The affected versions are 4.0.0 through 5.4.5 and 6.0.0 through 6.1.1.

A command to check the Joomla! version on your server might be:

  • grep 'Joomla!' path/to/joomla/administrator/manifests/files/joomla.xml

Alternatively, you can check the version via the Joomla! administrator backend under System > System Information.

Since this is an XSS vulnerability, network detection would require monitoring for suspicious payloads targeting the file management view, but no specific commands or signatures are provided.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Joomla! CMS to a fixed version.

  • Upgrade to Joomla! CMS version 5.4.7 or later if you are on the 5.x branch.
  • Upgrade to Joomla! CMS version 6.1.2 or later if you are on the 6.x branch.

Contact the Joomla! Security Strike Team (JSST) at the Joomla! Security Centre for further assistance if needed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart