Description
Lack of output escaping leads to a XSS vector in the content history component.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a lack of output escaping in the content history component, allowing arbitrary scripts to be injected and executed in the victim's browser when the page is viewed. This type of flaw is categorized as a CWE‑79 Client‑Side Scripting Vulnerability.

Affected Systems

The affected product is the Joomla! CMS from the Joomla! Project. No specific affected version numbers are provided in the CVE data, which means any deployed Joomla! CMS installation could be susceptible until the vendor releases a fix. Administrators and users who have access to the com_contenthistory component are potentially impacted.

Risk and Exploitability

The CVSS base score of 6.9 indicates limited but serious risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting no widely documented exploitation activity at present. The likely attack vector is through the web interface of the content history component, with exploitation requiring a victim to view a page containing the injected script. Attack feasibility is moderate, relying on user interaction and the presence of the vulnerable component.

Generated by OpenCVE AI on May 26, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Joomla! CMS to the latest version that contains the output‑escaping fix disclosed in the Joomla! security advisory.
  • If a patch is not immediately available, review the code or configuration of com_contenthistory to ensure that all user‑supplied content is properly sanitized and encoded before rendering.
  • Restrict permissions for the content history component to administrators only, and consider disabling or removing the component from publicly accessible areas when not needed.

Generated by OpenCVE AI on May 26, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Lack of output escaping leads to a XSS vector in the content history component.
Title Joomla! Core - [20260503] - XSS in com_contenthistory
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-05T07:28:01.850Z

Reserved: 2026-03-06T04:55:46.056Z

Link: CVE-2026-30894

cve-icon Vulnrichment

Updated: 2026-06-02T14:36:36.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:30.903

Modified: 2026-05-27T13:29:08.110

Link: CVE-2026-30894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:39Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')