CVE-2026-30894 Joomla! Project CVE debrief

Who should care

Joomla! site administrators, security teams managing Joomla! deployments, and developers extending the content history functionality

Technical summary

The vulnerability exists in Joomla!'s com_contenthistory component due to missing output escaping. An authenticated attacker with high privileges can inject malicious payloads into content history data. When another user with appropriate permissions views the affected history entries, the injected scripts execute in their browser context. The CVSS 4.0 score of 6.9 (Medium) reflects the high privilege requirement and user interaction needed for exploitation, though successful exploitation yields high confidentiality impact.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from the Joomla! project when available, referencing the official security advisory
• Review and restrict administrative access to the content history component
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Audit content history entries for suspicious script injection patterns
• Enable output encoding and context-aware escaping in custom extensions interacting with com_contenthistory

Evidence notes

The vulnerability is attributed to Joomla! based on the security advisory reference provided in the NVD record. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges and user interaction.

Official resources