{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21631", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "state": "PUBLISHED", "assignerShortName": "Joomla", "dateReserved": "2026-01-01T04:42:27.960Z", "datePublished": "2026-04-01T09:03:17.208Z", "dateUpdated": "2026-04-02T05:09:59.076Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Joomla! CMS", "vendor": "Joomla! Project", "versions": [{"status": "affected", "version": "4.0.0-5.4.3"}, {"status": "affected", "version": "6.0.0-6.0.3"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18 XSS Targeting Non-Script Elements"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.9, "baseSeverity": "MEDIUM", "exploitMaturity": "UNREPORTED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-02T05:09:59.076Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html"}, {"tags": ["third-party-advisory"], "url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631"}], "source": {"discovery": "UNKNOWN"}, "title": "Joomla! Core - [20260303] - XSS vector in com_associations comparison view", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21631"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T03:56:05.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T12:54:02.283377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T12:54:31.657Z"}}], "cna": {"title": "Joomla! Core - [20260303] - XSS vector in com_associations comparison view", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke"}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18 XSS Targeting Non-Script Elements"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Joomla! Project", "product": "Joomla! CMS", "versions": [{"status": "affected", "version": "4.0.0-5.4.3"}, {"status": "affected", "version": "6.0.0-6.0.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html", "tags": ["vendor-advisory"]}, {"url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component.", "supportingMedia": [{"type": "text/html", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-02T05:09:59.076Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21631", "state": "PUBLISHED", "dateUpdated": "2026-04-02T05:09:59.076Z", "dateReserved": "2026-01-01T04:42:27.960Z", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "datePublished": "2026-04-01T09:03:17.208Z", "assignerShortName": "Joomla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*", "matchCriteriaId": "E21AF5F0-76B9-4F00-9055-A9F2A170253C", "versionEndExcluding": "5.4.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*", "matchCriteriaId": "B61EE37B-A751-48E2-BDBE-6A6EC5499798", "versionEndExcluding": "6.0.4", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "id": "CVE-2026-21631", "lastModified": "2026-04-09T19:55:58.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@joomla.org", "type": "Secondary"}]}, "published": "2026-04-01T10:16:16.097", "references": [{"source": "security@joomla.org", "tags": ["Vendor Advisory"], "url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html"}, {"source": "security@joomla.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@joomla.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,5.4.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Joomla! CMS", "source": "cna", "vendor": "Joomla! Project"}, "product": "joomla!", "vendor": "joomla"}], "analysis": {"en": {"generated_at": "2026-04-09T22:30:20.167740+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest Joomla! update that addresses the XSS issue immediately.", "If a patch is not yet available, disable the com_associations component or remove the multilingual associations feature until a fix is released.", "Enable Joomla!\u2019s global output filtering or reduce the component\u2019s input handling privileges to prevent unescaped data from being rendered.", "Monitor site logs and user activity for signs of attempted JavaScript injection or abnormal browser behavior."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "Any Joomla! installation that includes the com_associations component prior to the March\u202f3\u202f2026 advisory is potentially vulnerable. The flaw applies to all versions of the component that were in use before the patch was released; no specific version range was specified in the advisory, so sites should assume the default multilingual associations feature is at risk.", "description_and_impact": "The Joomla! Content Management System\u2019s multilingual associations component fails to escape output in its comparison view, enabling an attacker to inject malicious JavaScript that runs in the browsers of any user who visits the affected page. This client\u2011side code execution can be used for phishing, cookie theft, or defacement of the site within the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS base score of 5.9 places the issue in the medium severity range, and the reported exploitation likelihood is very low (less than one percent). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is presumably triggered through the web interface when an attacker supplies unescaped data\u2014such as a crafted URL parameter or form field\u2014that is rendered in the comparison view. The impact is limited to the victim\u2019s browser, but successful exploitation would give the attacker full access to that browser\u2019s scripting environment."}}}}, "created": "2026-04-02T07:49:29.650693+00:00", "updated": "2026-04-10T09:45:50.543057+00:00", "vendors": ["joomla", "joomla$PRODUCT$joomla!"]}