CVE-2026-21631 - Vulnerability Details - OpenCVE

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html
https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Lack of output escaping leads to a XSS vector in the multilingual associations component.
Title		Joomla! Core - [20260303] - XSS vector in com_associations comparison view
Weaknesses		CWE-79
References		https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html
Metrics		cvssV4_0 `{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: Joomla

Published: 2026-04-01T09:03:17.208Z

Updated: 2026-04-02T05:09:59.076Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21631

Vulnrichment

Updated: 2026-04-01T12:54:31.657Z

NVD

Status : Undergoing Analysis

Published: 2026-04-01T10:16:16.097

Modified: 2026-04-01T20:16:23.203

Link: CVE-2026-21631

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21631", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "state": "PUBLISHED", "assignerShortName": "Joomla", "dateReserved": "2026-01-01T04:42:27.960Z", "datePublished": "2026-04-01T09:03:17.208Z", "dateUpdated": "2026-04-02T05:09:59.076Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Joomla! CMS", "vendor": "Joomla! Project", "versions": [{"status": "affected", "version": "4.0.0-5.4.3"}, {"status": "affected", "version": "6.0.0-6.0.3"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18 XSS Targeting Non-Script Elements"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.9, "baseSeverity": "MEDIUM", "exploitMaturity": "UNREPORTED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-02T05:09:59.076Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html"}, {"tags": ["third-party-advisory"], "url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631"}], "source": {"discovery": "UNKNOWN"}, "title": "Joomla! Core - [20260303] - XSS vector in com_associations comparison view", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21631"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T03:56:05.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T12:54:02.283377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T12:54:31.657Z"}}], "cna": {"title": "Joomla! Core - [20260303] - XSS vector in com_associations comparison view", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke"}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18 XSS Targeting Non-Script Elements"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Joomla! Project", "product": "Joomla! CMS", "versions": [{"status": "affected", "version": "4.0.0-5.4.3"}, {"status": "affected", "version": "6.0.0-6.0.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html", "tags": ["vendor-advisory"]}, {"url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component.", "supportingMedia": [{"type": "text/html", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-02T05:09:59.076Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21631", "state": "PUBLISHED", "dateUpdated": "2026-04-02T05:09:59.076Z", "dateReserved": "2026-01-01T04:42:27.960Z", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "datePublished": "2026-04-01T09:03:17.208Z", "assignerShortName": "Joomla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."}], "id": "CVE-2026-21631", "lastModified": "2026-04-01T20:16:23.203", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@joomla.org", "type": "Secondary"}]}, "published": "2026-04-01T10:16:16.097", "references": [{"source": "security@joomla.org", "url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html"}, {"source": "security@joomla.org", "url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-21631"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@joomla.org", "type": "Secondary"}]}