CVE-2026-21626

9.2

Critical

Published:6 Feb 2026

Last updated:17 Jun 2026

Source:security@joomla.org

Analyzed

Weakness (CWE)

CWE-200Exposure of Sensitive Information

CVSS Vector

v4.0

Attack Vector: Network
Attack Complexity: Low
Attack Requirements: None
Privileges Required: None
User Interaction: None
Confidentiality (Vulnerable): High
Integrity (Vulnerable): None
Availability (Vulnerable): None
Confidentiality (Subsequent): High
Integrity (Subsequent): None
Availability (Subsequent): None

View on MITRE Find PoC on GitHub

Description

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure

References

security@joomla.org

https://stackideas.com/easydiscuss