CVE-2026-48953
Received Received - Intake

XSS in Joomla Image Output Layout

Vulnerability report for CVE-2026-48953, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Joomla! Project

Description

Lack of escaping leads to an XSS vulnerability in the generic image output layout.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
joomla cms From 4.0.0 (inc) to 6.1.1 (inc)
joomla cms 5.4.7
joomla cms 6.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate the CVE-2026-48953 vulnerability, users should upgrade Joomla! CMS to the patched versions 5.4.7 or 6.1.2 where the issue has been fixed.

This vulnerability is caused by insufficient input escaping in the generic image output layout, leading to Cross-Site Scripting (XSS). Applying the update will prevent malicious scripts from being executed in users' browsers.

Executive Summary

CVE-2026-48953 is a Cross-Site Scripting (XSS) vulnerability in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.1.

The vulnerability occurs due to insufficient input escaping in the generic image output layout, which allows malicious scripts to be executed in a user's browser.

This means that an attacker can inject malicious code that runs when other users view the affected content.

Impact Analysis

This XSS vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected Joomla! CMS content.

Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.

However, the vulnerability has moderate severity and a low probability of exploitation.

Upgrading to Joomla! versions 5.4.7 or 6.1.2 or later mitigates this risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart