Description
Lack of output escaping leads to a XSS vector in the feed modules.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! Core flaw arises from missing output escaping in its feed modules, creating a Cross‑Site Scripting (CWE‑79) vector. An attacker can embed malicious script into a feed entry, which is then rendered unescaped to any visitor. In a successful exploitation, the injected code runs within the victim’s browser, potentially hijacking sessions, stealing cookies, redirecting users, or defacing the site.

Affected Systems

Joomla! Project’s Joomla! CMS installations that include the feed modules without the published patch are affected. Version information is not explicitly enumerated, so any deployment that has not applied the latest Joomla! update containing the XSS fix remains vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The attack vector is remote: a crafted feed entry can deliver harmful content to any user who accesses the feed, and no user credentials or elevated permissions are required.

Generated by OpenCVE AI on May 26, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Joomla! CMS to the latest version that incorporates the output‑escaping fix for feed modules.
  • If an immediate update is not possible, disable the feed modules for unauthenticated users or configure any built‑in sanitization mechanisms to escape output.
  • Review and patch any custom extensions or modules that modify feed content to ensure proper output encoding before rendering.

Generated by OpenCVE AI on May 26, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Lack of output escaping leads to a XSS vector in the feed modules.
Title Joomla! Core - [20260501] - XSS in feed modules
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:12:20.038Z

Reserved: 2026-02-07T04:53:10.343Z

Link: CVE-2026-25900

cve-icon Vulnrichment

Updated: 2026-05-26T17:27:13.051Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:30.250

Modified: 2026-06-17T10:25:24.433

Link: CVE-2026-25900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:33Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')