Joomla! vulnerabilities: known CVEs & security history
Joomla! · Actively exploited · 631 tracked CVEs · 2 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Joomla! release lines — 631 in total, with 2 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Joomla!'s current status and the safe version to run.
Known Joomla! CVEs
Actively-exploited and most-severe first. Showing the top 80 of 631. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2016-10033⚡ exploited | critical | 9.8 | 100% | 2016 |
| CVE-2023-23752⚡ exploited | medium | 5.3 | 100% | 2023 |
| CVE-2026-48904 | critical | 9.8 | 0% | 2026 |
| CVE-2026-48902 | critical | 9.8 | 0% | 2026 |
| CVE-2026-48899 | critical | 9.8 | 0% | 2026 |
| CVE-2026-48898 | critical | 9.8 | 0% | 2026 |
| CVE-2026-40383 | critical | 9.8 | 0% | 2026 |
| CVE-2026-35223 | critical | 9.8 | 0% | 2026 |
| CVE-2026-35222 | critical | 9.8 | 0% | 2026 |
| CVE-2026-35221 | critical | 9.8 | 0% | 2026 |
| CVE-2025-25226 | critical | 9.8 | 0% | 2025 |
| CVE-2022-23799 | critical | 9.8 | 1% | 2022 |
| CVE-2022-23797 | critical | 9.8 | 1% | 2022 |
| CVE-2022-23795 | critical | 9.8 | 1% | 2022 |
| CVE-2010-1435 | critical | 9.8 | 1% | 2021 |
| CVE-2010-1433 | critical | 9.8 | 1% | 2021 |
| CVE-2020-35613 | critical | 9.8 | 28% | 2020 |
| CVE-2020-10243 | critical | 9.8 | 2% | 2020 |
| CVE-2019-19846 | critical | 9.8 | 2% | 2019 |
| CVE-2019-12765 | critical | 9.8 | 10% | 2019 |
| CVE-2019-11831 | critical | 9.8 | 6% | 2019 |
| CVE-2019-10945 | critical | 9.8 | 38% | 2019 |
| CVE-2019-7743 | critical | 9.8 | 3% | 2019 |
| CVE-2018-15882 | critical | 9.8 | 3% | 2018 |
| CVE-2018-11325 | critical | 9.8 | 4% | 2018 |
| CVE-2018-6376 | critical | 9.8 | 5% | 2018 |
| CVE-2017-16634 | critical | 9.8 | 4% | 2017 |
| CVE-2017-14596 | critical | 9.8 | 6% | 2017 |
| CVE-2017-8917 | critical | 9.8 | 100% | 2017 |
| CVE-2016-9081 | critical | 9.8 | 2% | 2017 |
| CVE-2016-10045 | critical | 9.8 | 98% | 2016 |
| CVE-2016-9836 | critical | 9.8 | 2% | 2016 |
| CVE-2016-8869 | critical | 9.8 | 97% | 2016 |
| CVE-2024-27185 | critical | 9.1 | 0% | 2024 |
| CVE-2021-26040 | critical | 9.1 | 1% | 2021 |
| CVE-2021-23128 | critical | 9.1 | 2% | 2021 |
| CVE-2021-23127 | critical | 9.1 | 2% | 2021 |
| CVE-2011-1151 | critical | 9.1 | 2% | 2020 |
| CVE-2012-6503 | high | 10 | 2% | 2013 |
| CVE-2010-5286 | high | 10 | 11% | 2012 |
| CVE-2008-1465 | high | 9.3 | 1% | 2008 |
| CVE-2007-4188 | high | 9.3 | 4% | 2007 |
| CVE-2026-23899 | high | 8.8 | 0% | 2026 |
| CVE-2026-21630 | high | 8.8 | 0% | 2026 |
| CVE-2020-13760 | high | 8.8 | 1% | 2020 |
| CVE-2020-10241 | high | 8.8 | 1% | 2020 |
| CVE-2020-10239 | high | 8.8 | 3% | 2020 |
| CVE-2020-8420 | high | 8.8 | 1% | 2020 |
| CVE-2020-8419 | high | 8.8 | 0% | 2020 |
| CVE-2019-18650 | high | 8.8 | 0% | 2019 |
| CVE-2019-14654 | high | 8.8 | 2% | 2019 |
| CVE-2018-17858 | high | 8.8 | 1% | 2018 |
| CVE-2018-17855 | high | 8.8 | 2% | 2018 |
| CVE-2018-12712 | high | 8.8 | 2% | 2018 |
| CVE-2018-11323 | high | 8.8 | 3% | 2018 |
| CVE-2018-8045 | high | 8.8 | 29% | 2018 |
| CVE-2017-11364 | high | 8.8 | 2% | 2017 |
| CVE-2016-8870 | high | 8.1 | 82% | 2016 |
| CVE-2026-48901 | high | 7.5 | 0% | 2026 |
| CVE-2026-48897 | high | 7.5 | 0% | 2026 |
| CVE-2026-48896 | high | 7.5 | 0% | 2026 |
| CVE-2026-40384 | high | 7.5 | 0% | 2026 |
| CVE-2025-25227 | high | 7.5 | 0% | 2025 |
| CVE-2024-40749 | high | 7.5 | 0% | 2025 |
| CVE-2024-40748 | high | 7.5 | 0% | 2025 |
| CVE-2024-27187 | high | 7.5 | 0% | 2024 |
| CVE-2023-40626 | high | 7.5 | 1% | 2023 |
| CVE-2023-23755 | high | 7.5 | 1% | 2023 |
| CVE-2022-23793 | high | 7.5 | 2% | 2022 |
| CVE-2021-26038 | high | 7.5 | 1% | 2021 |
| CVE-2021-26036 | high | 7.5 | 1% | 2021 |
| CVE-2010-1434 | high | 7.5 | 1% | 2021 |
| CVE-2010-1432 | high | 7.5 | 1% | 2021 |
| CVE-2021-23132 | high | 7.5 | 7% | 2021 |
| CVE-2021-23131 | high | 7.5 | 2% | 2021 |
| CVE-2020-35616 | high | 7.5 | 6% | 2020 |
| CVE-2020-35612 | high | 7.5 | 2% | 2020 |
| CVE-2020-35611 | high | 7.5 | 1% | 2020 |
| CVE-2020-35610 | high | 7.5 | 1% | 2020 |
| CVE-2020-13763 | high | 7.5 | 1% | 2020 |
551 older / lower-severity CVEs not shown — see Joomla!'s full record.
Is my Joomla! version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Joomla! version → · Monitor Joomla! for new CVEs →
Joomla! vulnerabilities — frequently asked
How many known vulnerabilities does Joomla! have?
IsItPatched tracks 631 CVEs for Joomla!, 2 of which are actively exploited (CISA KEV). 37 are critical-severity and 284 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Joomla! have any actively-exploited vulnerabilities?
Yes — 2 Joomla! CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe Joomla! vulnerability?
Among tracked issues, CVE-2016-10033 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a CWE-88 weakness.
Is Joomla! safe to use?
It depends on the version. The latest supported Joomla! release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Joomla! security status · Joomla! end-of-life · actively-exploited CVEs. Always verify against Joomla!'s advisories — see our disclaimer.