CVE-2026-30895 Joomla! Project CVE debrief

Who should care

Joomla site administrators, content managers, and security teams operating Joomla CMS instances with com_content enabled; organizations with user-generated content workflows requiring readmore functionality

Technical summary

The vulnerability stems from missing output encoding when rendering readmore links in Joomla's content component (com_content). An attacker with high-privilege access can craft malicious readmore link attributes that persist in content and execute when rendered to other users. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L) reflects network attack vector, low attack complexity, high privileges required, and partial user interaction. Confidentiality impact is high while integrity and availability impacts are low. The weakness maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

medium

Recommended defensive actions

• Apply Joomla security update 20260504 when available from the Joomla Security Strike Team
• Review and sanitize all com_content readmore link configurations for unexpected HTML or script content
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Audit administrator accounts for unauthorized content modifications around the disclosure timeframe
• Monitor web application logs for suspicious readmore link parameters or encoded payloads

Evidence notes

CVE published 2026-05-26T17:16:31.037Z; modified 2026-05-26T19:06:58.447Z. NVD status: Undergoing Analysis. Official Joomla security advisory confirms com_content readmore link XSS vector.

Official resources