CVE-2025-54476: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Joomla! CMS, identified as CVE-2025-54476. The vulnerability affects versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, and 5.0.0-5.3.3 of the Joomla! CMS. The issue was discovered on August 3, 2025, and fixed on September 30, 2025. The vulnerability exists in the checkAttribute method of the input filter framework class, where improper handling of input could lead to an XSS vector (Joomla Security).

The vulnerability lies in the checkAttribute method of the Joomla\Filter\InputFilter class. The core issue is that the function failed to properly sanitize attribute values before checking for malicious content. Attackers could bypass the filter by inserting control characters such as tabs, newlines, or null bytes within JavaScript URIs. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (Miggo Database).

The vulnerability could allow attackers to execute cross-site scripting attacks through the input filter framework. This could potentially lead to unauthorized access to user data and compromise of web application security. The vulnerability affects multiple versions of the Joomla! CMS, making it a significant concern for installations that haven't been updated (Rapid7).

The vulnerability has been patched in Joomla! versions 4.4.14 and 5.3.4. Users are strongly advised to upgrade to these versions to mitigate the risk. The patch addresses the issue by explicitly removing control characters from attribute values before validation, preventing the filter bypass (Joomla Security).