N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54476

GHSA ID

GHSA-fm22-g2q9-j3pw

EPSS Score

0.12945%

CWE

CWE-79

Published

9/30/2025

Updated

10/1/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54476

CVE-2025-54476: Joomla! CMS vulnerable to XSS via the input filter

Improper handling of input could lead to a cross-site scripting (XSS) vector in the checkAttribute method of the input filter framework class.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54476

GHSA ID

GHSA-fm22-g2q9-j3pw

EPSS Score

0.12945%

CWE

CWE-79

Published

9/30/2025

Updated

10/1/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
joomla/filter	composer	= 4.0.0	4.0.1
joomla/filter	composer	>= 3.0.0, < 3.0.5	3.0.5
joomla/filter	composer	< 2.0.6	2.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the checkAttribute method of the Joomla\Filter\InputFilter class. The provided patches clearly show that this function was modified to mitigate an XSS vulnerability. The core of the vulnerability is that the function failed to account for whitespace and other non-printable characters that could be used to obfuscate malicious JavaScript in HTML attributes. An attacker could craft an input like <img src="java\tscript:alert('xss')">, which would bypass the original filter. The patch adds a line of code to strip these characters from the attribute value before it is checked for dangerous content. This directly points to checkAttribute as the vulnerable function. The other modified files are test cases that confirm the fix by adding new tests for the previously successful XSS vectors.

Vulnerable functions

Joomla\Filter\InputFilter::checkAttribute

src/InputFilter.php

The function `checkAttribute` was found to be vulnerable to Cross-Site Scripting (XSS). The vulnerability existed because the function did not properly sanitize attribute values before checking for malicious content. Attackers could bypass the filter by inserting control characters (such as tabs, newlines, or null bytes) within JavaScript URIs (e.g., `java\tscript:alert(1)`). The patch addresses this by explicitly removing these characters from the attribute value before validation, thus preventing the bypass.

WAF Protection Rules

WAF Rule

Improp*r **n*lin* o* input *oul* l*** to * *ross-sit* s*riptin* (XSS) v**tor in t** ****k*ttri*ut* m*t*o* o* t** input *ilt*r *r*m*work *l*ss.

Reasoning

T** vuln*r**ility li*s in t** `****k*ttri*ut*` m*t*o* o* t** `Jooml*\*ilt*r\Input*ilt*r` *l*ss. T** provi*** p*t***s *l**rly s*ow t**t t*is *un*tion w*s mo*i*i** to miti**t* *n XSS vuln*r**ility. T** *or* o* t** vuln*r**ility is t**t t** *un*tion **i

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-54476: Joomla! CMS vulnerable to XSS via the input filter

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI