CSRF Vulnerability in Joomla's User Activation Endpoint
CVE-2026-35220

4.6MEDIUM

Key Information:

Vendor: Joomla
Status: Joomla! Cms
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-35220?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the admin activation endpoint of Joomla's user management component. This vulnerability arises from inadequate validation of CSRF tokens, potentially allowing attackers to exploit this weakness. By leveraging this flaw, unauthorized actions can be executed on behalf of an authenticated user, compromising the security and integrity of affected Joomla installations. Users are encouraged to update their systems and implement security best practices to mitigate any risks associated with this vulnerability.

Affected Version(s)

Joomla! CMS 6.0.0-6.1.0

References

https://developer.joomla.org/security-centre/1037-2026050...

vendor-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Sun HuangnSec

CVE-2026-35220 Data

JSON