Description
Lack of input filtering leads to an XSS vector in the HTML filter code.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Joomla! Framework Filter package’s cleanAttributes function fails to properly validate and filter input that contains HTML/JavaScript content, creating an opportunity for an attacker to inject malicious script into pages. An injected script can execute in the browsers of users who view the affected content, potentially allowing attackers to steal session cookies, hijack user accounts, or deface the site. The vulnerability is a classic XSS vector identified as CWE‑79.

Affected Systems

The Joomla! Framework Filter package is affected. Specific version details are not disclosed in the CVE entry, so any installed instance using the default cleanAttributes implementation should be considered at risk.

Risk and Exploitability

The CVSS score of 6.9 classifies it as a moderate severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalogue, indicating that, while not widely exploited, the risk is present for sites that allow user‑generated content processed by the filter. The most likely attack path is client‑side; an attacker needs to craft an input that is rendered through the cleanAttributes filter, which is commonly exercised when user content is displayed on a Joomla! site.

Generated by OpenCVE AI on May 26, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Joomla! Framework update that includes the fix for cleanAttributes filtering.
  • Require or enforce strict input sanitization for all user‑supplied content, ensuring that only safe attributes and tags are allowed.
  • If no patch is immediately available, configure the site to escape or strip all script content from the output before rendering the HTML to users.

Generated by OpenCVE AI on May 26, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla! Framework Filter Package
Vendors & Products Joomla joomla! Framework Filter Package

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla
Joomla joomla\!
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Lack of input filtering leads to an XSS vector in the HTML filter code.
Title Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Framework Filter Package Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:14:13.346Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48905

cve-icon Vulnrichment

Updated: 2026-05-26T18:09:39.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:55.323

Modified: 2026-05-26T20:51:16.700

Link: CVE-2026-48905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:21Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')