Description
Lack of output escaping leads to a XSS vector in the multilingual associations component.
Published: 2026-04-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Apply Patch
AI Analysis

Impact

The Joomla! Content Management System’s multilingual associations component fails to escape output in its comparison view, enabling an attacker to inject malicious JavaScript that runs in the browsers of any user who visits the affected page. This client‑side code execution can be used for phishing, cookie theft, or defacement of the site within the victim’s browser context.

Affected Systems

Any Joomla! installation that includes the com_associations component prior to the March 3 2026 advisory is potentially vulnerable. The flaw applies to all versions of the component that were in use before the patch was released; no specific version range was specified in the advisory, so sites should assume the default multilingual associations feature is at risk.

Risk and Exploitability

The CVSS base score of 5.9 places the issue in the medium severity range, and the reported exploitation likelihood is very low (less than one percent). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is presumably triggered through the web interface when an attacker supplies unescaped data—such as a crafted URL parameter or form field—that is rendered in the comparison view. The impact is limited to the victim’s browser, but successful exploitation would give the attacker full access to that browser’s scripting environment.

Generated by OpenCVE AI on April 9, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply the latest Joomla! update that addresses the XSS issue immediately.
  • If a patch is not yet available, disable the com_associations component or remove the multilingual associations feature until a fix is released.
  • Enable Joomla!’s global output filtering or reduce the component’s input handling privileges to prevent unescaped data from being rendered.
  • Monitor site logs and user activity for signs of attempted JavaScript injection or abnormal browser behavior.

Generated by OpenCVE AI on April 9, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description Lack of output escaping leads to a XSS vector in the multilingual associations component.
Title Joomla! Core - [20260303] - XSS vector in com_associations comparison view
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-04-02T05:09:59.076Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21631

cve-icon Vulnrichment

Updated: 2026-04-01T12:54:31.657Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T10:16:16.097

Modified: 2026-04-09T19:55:58.423

Link: CVE-2026-21631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:50Z

Weaknesses