Cross-Site Scripting Vulnerability in Joomla Feed Modules
CVE-2026-25900

6.9MEDIUM

Key Information:

Vendor

Joomla
Status
Joomla! Cms
Vendor
CVE Published:
26 May 2026

What is CVE-2026-25900?

The vulnerability arises due to a failure to adequately escape output in the feed modules of Joomla, which can be exploited to execute arbitrary JavaScript code in a victim's browser. This could allow attackers to perform actions such as stealing session cookies or redirecting users to malicious sites. Website administrators must implement precautions, such as input validation and output encoding, to mitigate this risk.

Affected Version(s)

Joomla! CMS 3.0.0-5.4.5

Joomla! CMS 6.0.0-6.1.0

References

https://developer.joomla.org/security-centre/1033-2026050...
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mohamed Elabbas
Sun Huang
.