CVE-2026-30895— Joomla! Core - [20260504] - XSS in readmore links
Possible ATT&CK Techniques 1AI
T1189 · Drive-by CompromiseAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Joomla! Project | Joomla! CMS | 4.0.0-5.4.5 | affected |
6.0.0-6.1.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-30895
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Joomla! Core - [20260504] - XSS in readmore links
Source: NVD (National Vulnerability Database)
Vulnerability Description
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Joomla! Project | Joomla! CMS | 4.0.0-5.4.5 | - |
II. Public POCs for CVE-2026-30895
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-30895
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-30895 (1)
- 🔗 [20260504] - Core - XSS in readmore linksvendor-advisory
Same Patch Batch · Joomla! Project · 2026-05-26 · 20 CVEs total
| CVE-2026-48904 | Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints | |
| CVE-2026-30894 | Joomla! Core - [20260503] - XSS in com_contenthistory | |
| CVE-2026-40383 | Joomla! Core - [20260509] - LFI in HTMLView layout parameter | |
| CVE-2026-40384 | Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint | |
| CVE-2026-35221 | Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder | |
| CVE-2026-35222 | Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags | |
| CVE-2026-35220 | Joomla! Core - [20260505] - CSRF in user activation endpoint | |
| CVE-2026-35223 | Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints | |
| CVE-2026-48903 | Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute fi | |
| CVE-2026-48905 | Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes f | |
| CVE-2026-25901 | Joomla! Core - [20260502] - XSS in com_associations | |
| CVE-2026-48897 | Joomla! Core - [20260512] - MFA Authentication Bypass | |
| CVE-2026-48896 | Joomla! Core - [20260511] - MFA Authentication Bypass | |
| CVE-2026-48898 | Joomla! Core - [20260513] - Privilege escalation through com_users batch task | |
| CVE-2026-48899 | Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins | |
| CVE-2026-48902 | Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset | |
| CVE-2026-48900 | Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler | |
| CVE-2026-48901 | Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects | |
| CVE-2026-25900 | Joomla! Core - [20260501] - XSS in feed modules |
IV. Related Vulnerabilities
Same product: Joomla! CMS
- CVE-2026-35221
Joomla! Core - [20260506] - Authenticated blind SQLi in com_ - CVE-2026-48896
Joomla! Core - [20260511] - MFA Authentication Bypass - CVE-2026-35220
Joomla! Core - [20260505] - CSRF in user activation endpoint - CVE-2026-40383
Joomla! Core - [20260509] - LFI in HTMLView layout parameter - CVE-2026-35222
Joomla! Core - [20260507] - Authenticated blind SQLi in com_
Same vendor: Joomla! Project
- CVE-2026-35221
Joomla! Core - [20260506] - Authenticated blind SQLi in com_ - CVE-2026-48903
Joomla! Framework - [20260519] - Inadequate content filterin - CVE-2026-48896
Joomla! Core - [20260511] - MFA Authentication Bypass - CVE-2026-35220
Joomla! Core - [20260505] - CSRF in user activation endpoint - CVE-2026-40383
Joomla! Core - [20260509] - LFI in HTMLView layout parameter
Same weakness: CWE-79
- CVE-2026-42877
FacturaScripts: Stored XSS via product reference in sales/pu - CVE-2026-42197
RELATE Vulnerable to Stored XSS via Unprivileged User Profil - CVE-2026-46426
Budibase: Unrestricted Upload of File with Dangerous Type - CVE-2026-48149
Budibase: Stored XSS in Text component: BASIC users execute - CVE-2026-49044
WordPress Advanced Custom Fields: Font Awesome Field plugin
V. Comments for CVE-2026-30895
No comments yet