CVE-2026-48954
Received Received - Intake

Language Override XSS in Joomla CMS

Vulnerability report for CVE-2026-48954, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Joomla! Project

Description

Improper validation leads to a generic XSS vector in the language override feature.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
joomla joomla to 5.4.5 (inc)
joomla joomla to 6.1.1 (inc)
joomla joomla 5.4.7
joomla joomla 6.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48954 is a security vulnerability in Joomla! CMS versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.1 that allows for a Cross-Site Scripting (XSS) attack.

The vulnerability arises due to improper validation in the language override feature, which can be exploited by attackers to inject malicious scripts.

This issue was reported on May 15, 2026, and fixed on July 7, 2026, with the release of Joomla! versions 5.4.7 and 6.1.2.

Impact Analysis

This vulnerability can allow attackers to perform Cross-Site Scripting (XSS) attacks, which may lead to the execution of malicious scripts in the context of the affected website.

Such attacks can result in unauthorized actions on behalf of users, theft of sensitive information like cookies or session tokens, and potential compromise of user accounts.

The severity is considered moderate with a low probability of occurrence, but it is recommended to upgrade to patched versions to mitigate the risk.

Mitigation Strategies

To mitigate the CVE-2026-48954 vulnerability, users should upgrade Joomla! CMS to the patched versions 5.4.7 or 6.1.2 where the issue has been fixed.

This vulnerability allows a Cross-Site Scripting (XSS) attack through improper validation in the language override feature, so applying the update is the recommended immediate step.

Detection Guidance

This vulnerability is a Cross-Site Scripting (XSS) issue in the language override feature of Joomla! CMS versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.1. Detection typically involves checking the Joomla! version in use and verifying if it is one of the vulnerable versions.

Since the vulnerability exploits improper validation in language overrides, detection on a network or system would involve inspecting HTTP requests or inputs that manipulate language override parameters for suspicious script injections.

No specific detection commands or scripts are provided in the available resources. The recommended mitigation is to upgrade Joomla! to versions 5.4.7 or 6.1.2 or later, which contain the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart