Get the Most From Your Joomla Vulnerability Scanner

Secably Research
Jul 13, 2026
12 min read
Security Tools
Joomla Scanner Tools Tutorial Vulnerability
Get the Most From Your Joomla Vulnerability Scanner
Get the Most From Your Joomla Vulnerability Scanner

A joomla vulnerability scanner identifies security weaknesses within Joomla installations, including core vulnerabilities, outdated extensions, and misconfigurations. Use it before deploying a new Joomla site, after any major update, or as part of regular security audits. This proactive scanning helps detect known flaws before attackers exploit them.

Joomla Vulnerability Scanner: Step-by-Step Usage

This section focuses on JoomScan, a widely used, open-source joomla vulnerability scanner. JoomScan is a Perl-based tool that identifies Joomla versions, enumerates components, and checks for known vulnerabilities.

Setting Up JoomScan

Ensure Perl is installed on your system. Most Linux distributions, like Ubuntu or Debian, include Perl by default. You can verify its presence by typing perl -v in your terminal. If not installed, use your system's package manager.

sudo apt update
sudo apt install perl

Next, clone the JoomScan repository from GitHub. Navigate to a directory where you store your security tools.

git clone https://github.com/rezaduty/Joomscan.git
cd Joomscan

Make the primary script executable. This grants the necessary permissions to run the tool directly.

chmod +x joomscan.pl

JoomScan relies on several Perl modules. If you encounter errors about missing modules (e.g., Can't locate LWP/UserAgent.pm), install them using CPAN, Perl's comprehensive archive network.

sudo cpan install LWP::UserAgent
sudo cpan install URI::URL
sudo cpan install Getopt::Std
sudo cpan install JSON

Install any other modules reported as missing. This ensures full functionality.

Basic Scanning

Execute JoomScan against your target Joomla site. Replace http://joomla-target.com with the actual URL of the site you intend to scan. Always obtain explicit permission before scanning any website you do not own.

perl joomscan.pl -u http://joomla-target.com

A typical output for a vulnerable Joomla instance reveals version details and identified security flaws. The scanner checks its internal database of known vulnerabilities against the detected Joomla version and extensions.


+------------------------------------------------------------------------------------------------------------------+
|      JoomScan - Joomla Vulnerability Scanner by rezaduty                                                         |
|      GitHub: https://github.com/rezaduty/Joomscan                                                                |
+------------------------------------------------------------------------------------------------------------------+

[+] Target: http://joomla-target.com
[+] Joomla Version: 3.9.27 (Detected via generator meta tag and RSS feed)
[+] Scanning for known vulnerabilities...

[!] Vulnerability Found: CVE-2021-23126 (Joomla! 3.0.0-3.9.27 - Stored XSS in com_actionlogs)
    - Description: A stored Cross-Site Scripting (XSS) vulnerability exists in the com_actionlogs component.
    - Impact: An attacker can inject malicious scripts into the application, leading to session hijacking or data theft.
    - Reference: https://developer.joomla.org/security-centre/845-20210301-core-xss-in-com-actionlogs.html
    - Recommendation: Update Joomla to version 3.9.28 or later, or apply the official patch.

[!] Vulnerability Found: Outdated Extension - Akeeba Backup 6.x (End-of-Life)
    - Detected Version: 6.9.0
    - Description: Akeeba Backup version 6.x is no longer supported and does not receive security updates.
    - Impact: This extension may contain unpatched vulnerabilities, making it a prime target for attackers.
    - Recommendation: Update Akeeba Backup to a supported version (e.g., Akeeba Backup 8.x or later).

[+] Misconfiguration Detected: Directory Listing Enabled for /images/
    - Description: The web server configuration permits directory listing for the /images/ directory.
    - Impact: Attackers can browse the directory's contents, revealing file structures, temporary files, or other sensitive information.
    - Recommendation: Disable directory listing for all non-essential directories in your web server (Apache, Nginx) configuration.

[+] Scanning complete. Found 2 vulnerabilities and 1 misconfiguration.

Each finding includes a description, potential impact, references (like CVEs or official advisories), and actionable recommendations. Prioritize high-severity issues and address them promptly.

Verbose Scanning and Custom User-Agent

Use the -v flag for more verbose output, revealing additional details about the scanning process. This helps in understanding how JoomScan identifies components and vulnerabilities. The -a flag allows you to set a custom User-Agent string, which can help bypass basic WAFs or mimic specific browsers.

perl joomscan.pl -u http://joomla-target.com -v -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

The verbose output shows HTTP requests, responses, and the logic JoomScan uses to detect Joomla presence, version, and extensions. This is useful for troubleshooting or understanding the scan's depth.

Enumerating Components and Modules

Joomla's extensibility is a common source of vulnerabilities. JoomScan can enumerate installed components (-ec) and modules (-em). This helps identify outdated or unsupported extensions that might harbor known flaws.

perl joomscan.pl -u http://joomla-target.com -ec -em

The output lists detected components and modules, often with their versions, and flags any known issues associated with them.


...
[+] Enumerating Components...
[+] Found Component: com_content (Joomla! Core)
[+] Found Component: com_users (Joomla! Core)
[+] Found Component: com_virtuemart (Version: 3.8.8)
    - Potential Vulnerability: Virtuemart 3.8.8 has known Cross-Site Scripting (XSS) and SQL Injection flaws (e.g., CVE-2021-XXXXX, CVE-2021-YYYYY).
    - Recommendation: Verify your Virtuemart version against official advisories and update to the latest patched release (e.g., 4.x).
[+] Found Component: com_akeebabackup (Version: 6.9.0)
    - Warning: Akeeba Backup 6.x is End-of-Life. Upgrade to version 8.x or newer immediately.

[+] Enumerating Modules...
[+] Found Module: mod_login (Joomla! Core)
[+] Found Module: mod_virtuemart_cart (Version: 3.8.8)
    - Warning: Linked to outdated Virtuemart component.

[+] Enumeration complete.

This detailed enumeration helps prioritize updates for third-party extensions, which are often overlooked compared to core Joomla updates.

Using Secably for CMS Scanning

For a web-based, zero-setup alternative, Secably provides a CMS vulnerability scanner. This tool scans your Joomla site for outdated versions, known vulnerabilities in core and popular extensions, and common misconfigurations. It requires no local installation or dependencies.

Access the CMS vulnerability scanner, enter your Joomla site's URL, and initiate the scan. Secably's scanner performs checks similar to JoomScan but also incorporates broader web vulnerability checks, providing a more comprehensive overview.

Output from Secably for a Joomla site:


+-------------------------------------------------+
| Secably CMS Vulnerability Scan Report           |
+-------------------------------------------------+

Target: http://joomla-target.com
CMS Detected: Joomla (Version: 3.9.27)
Last Scanned: 2024-07-26 10:30:00 UTC

Severity: High
  - Vulnerability: Joomla! Core Stored XSS (CVE-2021-23126)
    - Description: A stored XSS vulnerability was found in the com_actionlogs component, affecting Joomla versions 3.0.0 through 3.9.27.
    - CVSS Score: 7.2 (High)
    - Recommendation: Update Joomla to version 3.9.28 or later to patch this vulnerability.
    - Reference: https://developer.joomla.org/security-centre/845-20210301-core-xss-in-com-actionlogs.html

Severity: Medium
  - Vulnerability: Outdated Extension - Akeeba Backup
    - Detected Version: 6.9.0
    - Description: Akeeba Backup 6.x is End-of-Life. It no longer receives security updates, leaving it exposed to new threats.
    - Recommendation: Upgrade Akeeba Backup to the latest supported version (e.g., 8.x). Regularly check for extension updates.

Severity: Low
  - Misconfiguration: Directory Listing Enabled
    - Path: /images/
    - Description: Directory listing is enabled for the /images/ directory. This exposes the file structure and potentially sensitive files.
    - Recommendation: Disable directory listing for this and other sensitive directories in your web server configuration (e.g., Apache .htaccess, Nginx server block).

Severity: Informational
  - Finding: Joomla! Administrator Login Page Detected
    - Path: /administrator/
    - Description: The standard Joomla administrator login page was found.
    - Recommendation: Consider implementing additional security measures for the admin interface, such as IP whitelisting or two-factor authentication.

Scan Details:
  - Checks performed: Joomla core version, popular extensions, common misconfigurations, HTTP headers.
  - External references: CVE Database, Joomla Security Centre.

Secably's report provides clear severity ratings, detailed descriptions, and specific remediation steps, making it easy to prioritize and fix issues. For general web vulnerability checks beyond CMS specifics, Secably also offers a free website vulnerability scanner.

Saving Scan Output

Store scan results for auditing or further analysis. JoomScan supports saving output to a file using the -o flag. Specify a filename for the report.

perl joomscan.pl -u http://joomla-target.com -o joomla_scan_report.txt

The output file will contain the full scan results, including all identified vulnerabilities and information. This is useful for comparing scan results over time or sharing with team members.

Scanning with a Delay

To avoid triggering rate limits or detection by intrusion prevention systems, introduce a delay between requests using the -d flag. Specify the delay in seconds.

perl joomscan.pl -u http://joomla-target.com -d 5

This command adds a 5-second delay between each HTTP request, making the scan less aggressive. Adjust the delay based on your target environment's responsiveness and security measures.

Common Use Cases with Practical Scenarios

Pre-deployment Audit

You have just finished developing a new Joomla site for a client. Before making it publicly accessible, run a joomla vulnerability scanner. This identifies any vulnerabilities introduced during development, such as outdated components or insecure configurations. Address these issues proactively to prevent day-one exploits.

Post-update Verification

Joomla releases a critical security update for a core component. You apply the patch to your live website. Immediately after, run the joomla vulnerability scanner. This verifies the update correctly resolved the vulnerability and did not inadvertently introduce new issues or configuration problems. It acts as a critical post-patch safety check.

Regular Security Health Checks

Implement a schedule for monthly or quarterly scans across all your Joomla sites. This consistent approach helps detect newly discovered vulnerabilities in core Joomla or its extensions, or accidental misconfigurations that might arise from routine maintenance. Regular scanning is a cornerstone of maintaining a secure web presence, as highlighted in our article on Continuous Vulnerability Scanning: What It Is and How to Do It Right.

Incident Response Initial Assessment

Your Joomla site exhibits unusual behavior, suggesting a potential compromise. As an initial step in incident response, run a quick scan with JoomScan. While not a forensic tool, it can rapidly point to known vulnerabilities that might have been exploited. This information helps narrow down potential attack vectors and guides deeper investigation, saving critical time.

Third-Party Extension Vetting

Before installing a new third-party Joomla extension, consider deploying it on a staging environment. Run JoomScan against this staging site. This helps identify any known vulnerabilities in the extension itself or potential conflicts it might introduce with your existing Joomla setup. Only proceed with installation on production if the extension passes security checks.

Troubleshooting Common Issues

"perl: command not found"

This error indicates Perl is not installed on your operating system. Install it using your system's package manager. For Debian/Ubuntu-based systems, use sudo apt install perl. For CentOS/RHEL, use sudo yum install perl. Ensure your package lists are updated before installation.

"Can't locate LWP/UserAgent.pm in @INC"

JoomScan relies on several Perl modules. This error means a required module, such as LWP::UserAgent, is missing. Install missing modules using CPAN. Run sudo cpan install LWP::UserAgent. If other modules are reported missing, repeat the command for each one (e.g., sudo cpan install URI::URL, sudo cpan install Getopt::Std). CPAN may require initial setup if used for the first time.

"Target URL is not a Joomla site"

JoomScan attempts to identify if the target URL runs Joomla. If it fails, several reasons are possible: the URL is incorrect, there are redirects preventing proper detection, or Joomla is installed in a non-standard sub-directory without clear indicators. Double-check the URL. Browse the site manually to confirm it is indeed a Joomla installation. Sometimes, robust security measures or a CDN might obscure common Joomla fingerprints.

False Positives/Negatives

Vulnerability scanners are not perfect. They can report vulnerabilities that are already patched (false positive) or miss actual vulnerabilities (false negative). Always manually verify critical findings reported by JoomScan. Cross-reference with official Joomla security advisories and the CVE database. Supplement JoomScan with other tools, such as Secably's free website vulnerability scanner or Nikto, for a broader perspective. A layered approach to scanning improves accuracy.

Network or Firewall Blocks

If JoomScan appears to hang or returns connection errors, your requests might be blocked by a firewall, WAF (Web Application Firewall), or an IDS/IPS (Intrusion Detection/Prevention System). Try scanning from a different network or IP address. Use JoomScan's -d flag to introduce a delay between requests, making the scan less aggressive. For advanced cases, consider routing traffic through a proxy, as described in the pro tips section.

Pro Tips for Advanced Usage

Proxying Scans for Anonymity or Evasion

Route JoomScan's traffic through a proxy server. This hides your originating IP address, bypasses IP-based blocking, or allows you to test from specific geographic locations. Use the -p flag with JoomScan, specifying the proxy address and port.

perl joomscan.pl -u http://joomla-target.com -p http://127.0.0.1:8080

Replace 127.0.0.1:8080 with your proxy server's address. Services like GProxy offer various proxy options. Ensure your proxy is correctly configured and operational before starting the scan.

Integrating with CI/CD Pipelines

Automate Joomla vulnerability scans as part of your Continuous Integration/Continuous Deployment (CI/CD) pipeline. This ensures every code commit or deployment triggers a security check against your staging or development environments. For JoomScan, execute the Perl script within your CI/CD runner. For Secably, use its API to trigger scans and retrieve results.

Example for a basic CI/CD script (e.g., in a GitLab CI/CD .gitlab-ci.yml):

security_scan:
  stage: test
  script:
    - git clone https://github.com/rezaduty/Joomscan.git /tmp/Joomscan
    - cd /tmp/Joomscan
    - chmod +x joomscan.pl
    - perl joomscan.pl -u http://staging.joomla-target.com -o /tmp/joomla_scan_report.txt || true
    - cat /tmp/joomla_scan_report.txt | grep -q "Vulnerability Found" && echo "Critical vulnerabilities detected. Build failed." && exit 1 || echo "No critical vulnerabilities found."
  allow_failure: false

This snippet runs JoomScan and fails the build if specific vulnerability patterns are detected in the output. This establishes security gates early in the development lifecycle, preventing vulnerable code from reaching production. For a deeper dive into integrating security, refer to our article Best Penetration Testing Tools (2026): A Toolkit by Phase, which discusses automation.

Customizing Scan Definitions

JoomScan's effectiveness relies on its vulnerability database, located in the db/ directory of its project. You can enhance JoomScan's capabilities by adding custom patterns or signatures. This allows you to check for zero-day vulnerabilities, specific internal misconfigurations, or custom extensions not covered by the default database. This requires knowledge of Perl scripting and Joomla's file structure to create effective signatures. For instance, you could add regex patterns to detect specific strings in HTML or JavaScript that indicate a custom, known vulnerability.

Combining with Attack Surface Management (ASM)

Before initiating any joomla vulnerability scanner, ensure you have a complete inventory of all your Joomla instances. Forgotten or shadow IT assets are common entry points for attackers. Use external asset discovery tools to find all internet-facing assets owned by your organization. Secably offers attack surface management capabilities to identify all your web properties, including subdomains and associated technologies. This ensures no Joomla site goes unscanned. Secably's paid plans, starting at $19/month, offer continuous monitoring and EASM features. Find more details on the Secably pricing page.

Advanced Enumeration with Other Tools

JoomScan specializes in Joomla. For a more comprehensive security posture, combine it with other specialized tools. Use Secably's technology stack detector to identify other web technologies running on the server, such as web servers (Apache, Nginx), databases, or JavaScript frameworks. A free port scanner can reveal open ports and services, exposing potential attack vectors beyond the web application itself. This layered approach provides deeper insights into potential weaknesses across your entire infrastructure, not just the CMS.

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.