Joomla CMS, Cross-Site Scripting (XSS), CVE-2026-25901 (Medium)

Listen to this Post

The vulnerability resides in Joomla’s multilingual associations component (com_associations), which fails to properly escape user-supplied output before rendering it in a web page. An attacker with low-privileged access (e.g., an authenticated user) can inject a malicious payload into a parameter that is later reflected without sanitization, leading to a stored or reflected XSS condition. The root cause is improper neutralization of input during web page generation, classified as CWE-79. Exploitation requires user interaction, such as a victim clicking a crafted link or viewing a compromised association entry. The attack is remotely exploitable over the network, with low attack complexity and no required privileges, as per the CVSS v4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N. This yields a base score of 6.9 (Medium). The vulnerability affects Joomla versions 4.0.0 through 5.4.5, and 6.0.0 through 6.1.0. It was discovered by Vnth4Nhnt and publicly disclosed on May 26, 2026. No technical details or exploit code are publicly available. The issue is fixed in Joomla 5.4.6 and 6.1.1, released on the same day.

DailyCVE Form:

Platform: Joomla CMS
Version: 5.4.5/6.1.0
Vulnerability: XSS
Severity: Medium (6.9)
Date: 2026-05-26

Prediction: Patched 2026-05-26

What Undercode Say:

Analytics:

  • Check exposure: `grep -r “com_associations” /path/to/joomla`
    – Audit escaping: `find . -name “.php” | xargs grep “echo.\$” | grep -v “htmlspecialchars”`
    – Simulate injection: `curl -k -X POST -d “association[bash]=” https://target.com/administrator/index.php?option=com_associations`

Exploit:

To exploit, an attacker crafts a malicious association entry containing JavaScript. When a privileged user views the association list, the script executes in their browser, potentially stealing session cookies or performing actions on their behalf.

Protection from this CVE:

  • Immediately upgrade to Joomla 5.4.6 or 6.1.1 (or later).
  • If upgrading is not possible, apply the vendor’s patch or disable the multilingual associations component.
  • Implement a Content Security Policy (CSP) to restrict script execution.

Impact:

Successful XSS can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the attack requires user interaction, its severity is medium, but it can still compromise the integrity and confidentiality of the Joomla site.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top