| Vendor | Products | CVEs | KEV | Avg EPSS | Worst Severity |
|---|
| 1 | 43 | 0 | 21.2% | CRITICAL |
| CVE ID | Description | Severity | CVSS | KEV | EPSS | Published | |
|---|
| CVE-2026-48905 | Lack of input filtering leads to an XSS vector in the HTML filter code. | MEDIUM | 6.9 | — | 4.0% | May 26, 2026 | |
| CVE-2026-48904 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | HIGH | 8.2 | — | 20.8% | May 26, 2026 | |
| CVE-2026-48903 | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | MEDIUM | 6.9 | — | 4.0% | May 26, 2026 | |
| CVE-2026-48902 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | CRITICAL | 9.8 | — | 8.8% | May 26, 2026 | |
| CVE-2026-48901 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | HIGH | 7.5 | — | 15.6% | May 26, 2026 | |
| CVE-2026-48900 | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | MEDIUM | 6.4 | — | 5.0% | May 26, 2026 | |
| CVE-2026-48899 | An improper access check allows privilege escalation through the com_users batch task. | MEDIUM | 5.3 | — | 14.2% | May 26, 2026 | |
| CVE-2026-48898 | An improper access check allows privilege escalation through the com_users batch task. | HIGH | 8.2 | — | 18.4% | May 26, 2026 | |
| CVE-2026-48897 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | HIGH | 8.2 | — | 11.4% | May 26, 2026 | |
| CVE-2026-48896 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | HIGH | 8.2 | — | 21.3% | May 26, 2026 | |
| CVE-2026-40384 | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | MEDIUM | 5.9 | — | 35.5% | May 26, 2026 | |
| CVE-2026-40383 | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | HIGH | 7.5 | — | 37.9% | May 26, 2026 | |
| CVE-2026-35223 | An improper access check allows unauthorized access to com_config webservice endpoints. | HIGH | 8.6 | — | 26.7% | May 26, 2026 | |
| CVE-2026-35222 | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | MEDIUM | 6.9 | — | 22.7% | May 26, 2026 | |
| CVE-2026-35221 | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | MEDIUM | 6.9 | — | 22.7% | May 26, 2026 | |
| CVE-2026-35220 | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | MEDIUM | 4.6 | — | 1.2% | May 26, 2026 | |
| CVE-2026-30895 | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | MEDIUM | 6.9 | — | 7.2% | May 26, 2026 | |
| CVE-2026-30894 | Lack of output escaping leads to a XSS vector in the content history component. | MEDIUM | 6.9 | — | 7.2% | May 26, 2026 | |
| CVE-2026-25901 | Lack of output escaping leads to a XSS vector in the multilingual associations component. | MEDIUM | 6.9 | — | 7.2% | May 26, 2026 | |
| CVE-2026-25900 | Lack of output escaping leads to a XSS vector in the feed modules. | MEDIUM | 6.9 | — | 7.2% | May 26, 2026 | |