Description
Lack of output escaping leads to a XSS vector in the multilingual associations component.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! CMS Multimedia Associations component suffers from a lack of output escaping, creating an XSS vulnerability identified by CWE‑79. An attacker can inject malicious JavaScript that executes in the browsers of users interacting with the affected pages, potentially permitting defacement, credential theft, or session hijacking. The impact is confined to the web application context and does not provide a direct privilege escalation or remote code execution path.

Affected Systems

The affected product is Joomla! Project Joomla! CMS. Specific version information is not provided in the advisory, so all releases that include the multilingual associations component are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is not available, limiting precise exploitation likelihood assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation is inferred to be possible remotely through crafted URLs or page inputs that trigger unescaped output, making it accessible to any user visiting the site. Overall risk is moderate, with a realistic likelihood that the flaw could be abused by attackers with moderate skill and resources.

Generated by OpenCVE AI on May 26, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joomla! CMS to the latest release that includes the fix for the associations XSS issue.
  • If possible, disable the multilingual associations feature to eliminate the vulnerable code path.
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.

Generated by OpenCVE AI on May 26, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Lack of output escaping leads to a XSS vector in the multilingual associations component.
Title Joomla! Core - [20260502] - XSS in com_associations
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:28:14.477Z

Reserved: 2026-02-07T04:53:10.344Z

Link: CVE-2026-25901

cve-icon Vulnrichment

Updated: 2026-05-26T18:09:54.535Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:30.417

Modified: 2026-06-17T10:25:24.550

Link: CVE-2026-25901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:23Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')