Lack of output escaping leads to a XSS vector in the content history component

CVE-2026-30894 is a Joomla core cross-site scripting flaw in com_contenthistory, caused by missing output escaping when history data is rendered. The vendor advisory marks Joomla! CMS 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0 as affected, with fixes in 5.4.6 and 6.1.1.

The vendor's *moderate* label is still a bit generous in enterprise reality. XSS can absolutely become full site compromise if it lands in a privileged admin browser, but this bug appears tied to a content-history workflow rather than anonymous front-end browsing, so the real story is *post-auth, role-limited, user-interaction-dependent abuse*; Joomla's own CVSS v4 view with PR:H/UI:P fits that reality better than the looser NVD v3 PR:N framing.

Why this verdict

• Requires a foothold first: the attacker generally needs authenticated ability to create or edit content that lands in com_contenthistory, which implies prior credential theft, insider access, or another CMS compromise stage.
• Requires the right victim and UI path: exploitation depends on a reviewer/admin actually opening the affected history component, so reachable population is far smaller than the product install base.
• Internet-wide blast radius is overstated: XSS impact can be serious, but only after the attacker crosses several narrowing gates; that is exactly the kind of friction that should drag a vendor MEDIUM down in enterprise patch triage.

Why not higher?

There is no sign of KEV status, active exploitation, wormability, or unauthenticated remote code execution. The path looks chained: authenticated content manipulation, then privileged user interaction, then session abuse. That is too much real-world friction to justify MEDIUM or HIGH urgency across a 10,000-host estate.

Why not lower?

It is still a core CMS bug in a widely deployed platform, and successful admin-origin XSS can translate into meaningful integrity impact, including administrative action abuse. In shared editorial environments or agencies with many backend users, the odds of the workflow being exercised are not zero, so this is not pure noise.

1. Restrict /administrator exposure — Put Joomla backend access behind VPN, IP allowlists, or an identity-aware proxy. For a LOW verdict there is no SLA beyond backlog hygiene, but this is worth doing on exposed sites because it shrinks the victim pool and makes the prerequisite authenticated foothold harder to obtain.
2. Trim editor and publisher roles — Review who can create or modify content that generates history entries, and remove stale or shared accounts. With no mitigation SLA for LOW, do this during normal access-review cadence, prioritizing internet-facing or multi-editor sites.
3. Harden admin browser controls — Apply a strict admin-side CSP where feasible, use managed browsers, and block risky extension usage on administrator workstations. This won't guarantee prevention, but it raises exploit reliability friction for any XSS that does execute.
4. Monitor high-risk admin actions — Alert on new super-user creation, extension installation, template edits, and major config changes shortly after content-history views. For LOW, fold this into standard CMS monitoring improvements rather than emergency change windows.

Run this on the Joomla web host against the site root, for example sudo bash check-joomla-cve-2026-30894.sh /var/www/html/joomla. It needs read access to the Joomla installation files only; root is not required unless file permissions force it.

#!/usr/bin/env bash
# check-joomla-cve-2026-30894.sh
# Detect whether a local Joomla installation is in the affected version ranges for CVE-2026-30894.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

usage() {
  echo "Usage: $0 /path/to/joomla-root"
}

if [ $# -ne 1 ]; then
  usage
  exit 3
fi

ROOT="$1"
XML_FILE="$ROOT/administrator/manifests/files/joomla.xml"
VER_FILE="$ROOT/libraries/src/Version.php"
VERSION=""

if [ -f "$XML_FILE" ]; then
  VERSION=$(grep -Eo '<version>[^<]+' "$XML_FILE" 2>/dev/null | head -n1 | sed 's/<version>//')
fi

if [ -z "$VERSION" ] && [ -f "$VER_FILE" ]; then
  SHORT=$(grep -E "public const SHORT_VERSION\s*=" "$VER_FILE" 2>/dev/null | head -n1 | sed -E "s/.*'([^']+)'.*/\1/")
  if [ -n "$SHORT" ]; then
    VERSION="$SHORT"
  fi
fi

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine Joomla version from $XML_FILE or $VER_FILE"
  exit 2
fi

# Normalize: keep only numeric dotted prefix
VERSION=$(echo "$VERSION" | sed -E 's/^([0-9]+(\.[0-9]+){0,2}).*/\1/')

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ]
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$1" != "$2" ] && [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

# Affected ranges per vendor/NVD:
# 3.0.0 - 5.4.5
# 6.0.0 - 6.1.0
if ver_ge "$VERSION" "3.0.0" && ver_lt "$VERSION" "5.4.6"; then
  echo "VULNERABLE - Joomla version $VERSION is in affected range 3.0.0-5.4.5"
  exit 1
fi

if ver_ge "$VERSION" "6.0.0" && ver_lt "$VERSION" "6.1.1"; then
  echo "VULNERABLE - Joomla version $VERSION is in affected range 6.0.0-6.1.0"
  exit 1
fi

if ver_ge "$VERSION" "5.4.6" && ver_lt "$VERSION" "6.0.0"; then
  echo "PATCHED - Joomla version $VERSION is at or above 5.4.6"
  exit 0
fi

if ver_ge "$VERSION" "6.1.1"; then
  echo "PATCHED - Joomla version $VERSION is at or above 6.1.1"
  exit 0
fi

echo "UNKNOWN - Joomla version $VERSION is outside the published affected/fixed ranges reviewed for CVE-2026-30894"
exit 2

Sources

1. Joomla security advisory for CVE-2026-30894
2. NVD entry for CVE-2026-30894
3. Joomla 6.1.1 & 5.4.6 security release announcement
4. Joomla 5.4.6 download page
5. Joomla 6.1.1 download page
6. Joomla 6.1 release announcement
7. Joomla CMS GitHub repository
8. CISA Known Exploited Vulnerabilities catalog