Description
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inadequate content filtering in the Joomla! Framework checkAttribute methods enables malicious code to be injected into HTML attributes, resulting in Cross‑Site Scripting. An attacker can craft payloads that execute in the victim’s browser, potentially allowing credential theft, session hijacking, or defacement of web pages. The vulnerability is a classic input validation flaw (CWE‑79).

Affected Systems

The Joomla! Project’s Joomla! Framework Filter package is affected. No specific version ranges are listed in the public data, so all installations using the current checkAttribute implementation are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, so no public evidence of exploitation is known. The likely attack vector is client‑side via untrusted input that is not properly sanitized before being inserted into HTML attribute values. If an attacker can supply such input through any exposed form or data field, the risk of successful exploitation is plausible. The absence of a KEV listing means that defenders may not have seen widespread real‑world attacks yet, but the moderate score and absence of mitigation advice warrant timely action.

Generated by OpenCVE AI on May 26, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joomla! Framework to the latest released version that contains the fix for checkAttribute content filtering.
  • Audit all custom extensions and themes for direct use of Joomla!’s checkAttribute or similar methods, and enforce strict input validation and output escaping before rendering attribute values.
  • Implement a web application firewall or modern content‑security‑policy headers to detect and block XSS payloads targeting attribute contexts.

Generated by OpenCVE AI on May 26, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla! Framework Filter Package
Vendors & Products Joomla joomla! Framework Filter Package

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla
Joomla joomla\!
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
Title Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Framework Filter Package Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:15:23.009Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48903

cve-icon Vulnrichment

Updated: 2026-05-26T18:09:12.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:55.077

Modified: 2026-05-26T20:55:57.623

Link: CVE-2026-48903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:51:21Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')