8 CVEs categorized as CWE-284 — Improper Access Control in Joomla.
CVE-2026-23899HIGH2026
An improper access check allows unauthorized access to webservice endpoints.
CVE-2026-21629MEDIUM2026
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
CVE-2025-25225MEDIUM2025
A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions.
CVE-2024-40749HIGH2024
Improper Access Controls allows access to protected views.
CVE-2024-27187HIGH2024
Improper Access Controls allows backend users to overwrite their username when disallowed.
CVE-2023-39973—2023
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns.
CVE-2023-39972—2023
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists.
CVE-2023-23752MEDIUM2023
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.