CVE-2026-30894 Overview
CVE-2026-30894 is a stored Cross-Site Scripting (XSS) vulnerability in the Joomla! com_contenthistory component. The flaw originates from missing output escaping when the content history view renders user-supplied data. An authenticated attacker with high privileges can inject script payloads that execute in the browser of any user viewing the affected content history entries. The vulnerability is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in an administrator's session context, enabling session hijacking, account takeover, or unauthorized backend actions through the Joomla! content history interface.
Affected Products
- Joomla! CMS (see Joomla Security Advisory for exact version ranges)
- The com_contenthistory core component
- Joomla! installations where content versioning is enabled
Discovery Timeline
- 2026-05-26 - CVE-2026-30894 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-30894
Vulnerability Analysis
The vulnerability resides in the Joomla! content history component (com_contenthistory), which tracks revisions to articles and other content items. The component fails to apply proper HTML output escaping when rendering stored field values to the browser. When a privileged user views the version history of an item, any previously injected markup is interpreted as active content rather than literal text.
This behavior is characteristic of stored XSS. The payload persists in the database within a content history record and triggers on every subsequent view. Because the rendering occurs inside the Joomla! administrator backend, the executing script inherits the privileges of the viewing user. Attackers leverage this to perform requests against administrative endpoints, exfiltrate session tokens, or modify site configuration.
User interaction is required: a victim with sufficient permissions must navigate to the affected history view. The attacker also requires high privileges to seed the malicious content in the first place, which limits the attacker pool but does not eliminate risk in multi-author environments.
Root Cause
The root cause is the absence of context-aware output escaping in the content history view template. Field values pulled from the #__ucm_history table are emitted directly into HTML without passing through htmlspecialchars() or the Joomla! Text and OutputFilter escaping helpers.
Attack Vector
An authenticated attacker with content editing privileges submits an article or custom field containing an HTML or JavaScript payload. Joomla! stores a versioned snapshot of that content in the history table. When an administrator or another privileged user opens the content history compare or preview view, the unescaped payload executes in their browser session. The attack is delivered over the network through the standard Joomla! administrative interface.
No verified public proof-of-concept code is available. Refer to the Joomla Security Advisory for vendor-provided technical details.
Detection Methods for CVE-2026-30894
Indicators of Compromise
- Content history records in the #__ucm_history table containing <script>, onerror=, onload=, or javascript: substrings within stored JSON payloads.
- Administrator browser sessions issuing unexpected POST requests to administrator/index.php immediately after viewing content history pages.
- New or modified privileged accounts in the #__users table that correlate with administrator visits to the content history view.
Detection Strategies
- Inspect Joomla! database history tables for stored markup that should have been escaped, focusing on the version_data JSON field.
- Review web server access logs for requests to index.php?option=com_contenthistory followed by anomalous administrative API calls from the same session.
- Deploy server-side Content Security Policy (CSP) reporting to capture inline script execution attempts in administrator views.
Monitoring Recommendations
- Forward Joomla! application logs and web server access logs to a centralized SIEM for correlation of administrator activity with content history access patterns.
- Alert on creation of administrator-level accounts or changes to #__extensions rows during or shortly after content history view requests.
- Track outbound requests from administrator browsers to untrusted domains, which may indicate session token exfiltration.
How to Mitigate CVE-2026-30894
Immediate Actions Required
- Apply the Joomla! security update referenced in the Joomla Security Advisory as soon as it is available for your branch.
- Audit user accounts with content editing privileges and remove unnecessary high-privilege access to reduce the attacker pool.
- Review recent content history entries for stored script payloads and purge affected records before administrators view them.
Patch Information
Joomla! addresses CVE-2026-30894 by introducing proper output escaping in the com_contenthistory view layer. Administrators should upgrade to the fixed Joomla! release identified in the vendor advisory. Confirm the running version after upgrade via the Joomla! administrator System Information page.
Workarounds
- Temporarily disable the content history feature in Global Configuration for components that do not require versioning.
- Restrict access to the com_contenthistory view through ACL settings so only fully trusted Super Users can render history entries.
- Deploy a strict Content Security Policy that disallows inline scripts in the administrator backend to limit payload execution.
# Example: restrict access to com_contenthistory via web server rule
# Apache .htaccess - block direct access to the component from untrusted IPs
RewriteEngine On
RewriteCond %{QUERY_STRING} option=com_contenthistory [NC]
RewriteCond %{REMOTE_ADDR} !^203\.0\.113\.
RewriteRule ^administrator/index\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
