Joomla CMS, Cross-Site Scripting (XSS), CVE-2026-30894 (Medium)

Listen to this Post

The vulnerability arises from improper output escaping in Joomla’s com_contenthistory component, which handles version comparisons and restoration of content. The flaw manifests when an authenticated administrator views a content comparison after malicious data has been injected into a versioned field. Specifically, the history component fails to sanitize HTML attributes within stored item data when rendering version differences.
When a user with edit permissions modifies an or custom field, com_contenthistory records a snapshot of the data, including any fields that may contain unfiltered HTML. An attacker with edit privileges on a content item can inject a payload such as `”>` into a text field. This payload is stored as part of the content history without proper encoding.
Later, when a high-privilege administrator (such as a Super User) views the version comparison interface (/administrator/index.php?option=com_contenthistory&view=compare&id[]=X&id[]=Y), the application renders the different fields for display. Due to the lack of `htmlspecialchars()` or `$this->escape()` on the output, the injected code is executed directly in the administrator’s browser context.
This leads to a reflected/contextual XSS scenario within the Joomla back-end. Since the front-end and back-end share the same origin, the attacker can hijack the administrator’s session, perform actions on their behalf, or exfiltrate sensitive configuration data.

DailyCVE form:

Platform: Joomla CMS
Version: 3.0.0–5.4.6/6.0.0–6.1.1
Vulnerability : XSS (CWE-79)
Severity: Medium (6.1 CVSS)
date: 2026-05-26

Prediction: 2026-06-02

What Undercode Say:

Check current Joomla version via CLI
php /path/to/joomla/cli/joomla.php --version
Verify com_contenthistory model path for unsafe code
grep -r "htmlspecialchars" administrator/components/com_contenthistory/models/history.php
Remediation command (Git patch application)
cd /path/to/joomla && git apply --check xss_fix.patch

Exploit:

// Malicious payload injection via POST to index.php?option=com_content&task=.save
// Payload: " onmouseover="alert(document.cookie)"
// Trigger URL for administrator:
// https://target.com/administrator/index.php?option=com_contenthistory&view=compare&id[]=X&id[]=Y

Protection from this CVE:

  1. Upgrade to Joomla 5.4.6 or 6.1.1 (released May 26, 2026).
  2. Apply temporary WAF rule blocking `com_contenthistory` requests containing HTML tags.
  3. Enforce `htmlspecialchars($value, ENT_QUOTES, ‘UTF-8’)` in all custom overrides.
  4. Disable com_contenthistory if not required via administrator Components menu.

Impact:

Administrative session hijacking, privilege escalation, and potential site defacement. An attacker with editor privileges can execute arbitrary scripts in a Super User’s session, compromising the entire CMS instance.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top