Description
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper validation of the layout parameter in Joomla!’s HTMLView. Attackers can supply arbitrary file paths, causing the application to include local files on the server. This local file inclusion can lead to reading sensitive files such as configuration files, database credentials, or execution of malicious code if the included file is interpreted. The weakness is classified as CWE‑22.

Affected Systems

The issue affects the Joomla! CMS supplied by the Joomla! Project. No specific product version is listed in the advisory, so the vulnerability may apply broadly to installations that have not applied the referenced patch. Administrators should check whether their Joomla! CMS version is older than the fix referenced by the security announcement.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity for local required attack privilege. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a web request that manipulates the layout parameter. Exploitation requires the attacker to have enough permissions to read files via the web server, so it is typically limited to local or privileged accounts. However, the impact remains significant if sensitive files can be accessed.

Generated by OpenCVE AI on May 26, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joomla! CMS to a version that includes the fix referenced in the security announcement.
  • If an immediate upgrade is not possible, apply a temporary workaround by allowing only a whitelist of acceptable layout names or disabling the layout parameter entirely.
  • Tighten server file permissions to restrict web‑server access to sensitive files such as configuration files, database dumps, or any files that are not intended to be publicly readable.
  • Monitor web server logs for unusual requests containing the layout parameter with suspicious file paths.

Generated by OpenCVE AI on May 26, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description An improper validation of user-supplied input leads to a local file inclusion vulnerability.
Title Joomla! Core - [20260509] - LFI in HTMLView layout parameter
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:14:28.517Z

Reserved: 2026-04-12T05:13:31.714Z

Link: CVE-2026-40383

cve-icon Vulnrichment

Updated: 2026-05-26T18:58:39.883Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:39.360

Modified: 2026-05-27T12:24:10.407

Link: CVE-2026-40383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')