PatchSiren cyber security CVE debrief
CVE-2026-25900 Joomla! Project CVE debrief
CVE-2026-25900 is a cross-site scripting (XSS) vulnerability in Joomla core feed modules, published 2026-05-26. The vulnerability stems from lack of output escaping, allowing crafted input to execute scripts in a victim's browser. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges and user interaction, with high confidentiality impact and low integrity/availability impact. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Joomla's security team published advisory 20260501 addressing this core issue. No known exploitation in ransomware campaigns (non-KEV). Organizations using Joomla feed modules should apply vendor patches when available and implement output encoding controls.
- Vendor
- Joomla! Project
- Product
- Joomla! CMS
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Joomla site administrators, web application security teams, content management system operators, security auditors assessing Joomla deployments
Technical summary
Cross-site scripting vulnerability in Joomla core feed modules caused by insufficient output escaping. Attack vector requires high privileges and user interaction. Confidentiality impact rated high per CVSS 4.0.
Defensive priority
medium
Recommended defensive actions
- Apply Joomla security update for advisory 20260501 when available from vendor
- Review feed module output encoding implementations for proper HTML entity encoding
- Implement Content Security Policy headers to mitigate XSS impact
- Audit feed module configurations for unauthorized modifications
- Monitor for anomalous script injection attempts in feed content submissions
Evidence notes
CVE description confirms XSS via lack of output escaping in feed modules. CVSS 4.0 vector from NVD: AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L. CWE-79 classification from [email protected]. Vendor attribution supported by Joomla security advisory reference.
Official resources
-
CVE-2026-25900 CVE record
CVE.org
-
CVE-2026-25900 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-26