Skip to content
Business Efficiency

Joomla: 1,313 CVEs and 352K Sites That Can't Leave

A framework nobody recommends still runs 352,000 sites. The switching cost exceeds the security cost — until a breach reverses the equation.

· 5 min read
Share on X LinkedIn
Joomla: 1,313 CVEs and 352K Sites That Can't Leave

The Framework Nobody Recommends

No web development agency in 2026 recommends Joomla for a new project. No technology evaluator includes it on a shortlist. No university curriculum teaches it. Joomla does not appear in job postings, developer surveys, or framework comparison guides. By every forward-looking indicator, the framework is over.

And yet WebPulse detects Joomla on 352,042 sites — 3.5% of all framework detections at the 10-million-site scale. These are not test installations or abandoned domains. They are active sites with valid SSL certificates, current DNS records, and functioning content management. They are municipalities, regional hospitals, small manufacturers, and tourism boards. They were built between 2008 and 2016, they worked, and nobody has migrated them because migration costs money that maintaining the status quo does not — at least not visibly.

352,042 (3.5% of detectable web)
Joomla site detections
Source: WebPulse scan aggregation (June 2026)
1,313
Joomla total CVEs
Source: NVD/NIST (June 2026)
63
Joomla WebPulse score
Source: WebPulse Framework Intelligence (June 2026)

1,313 Vulnerabilities and Counting

Joomla has accumulated 1,313 CVEs in the National Vulnerability Database. This is not a WordPress-scale number — WordPress carries 18,321 — but Joomla runs on a fraction of the sites. On a per-site basis, Joomla's vulnerability density is significant. The framework's score of 63 in WebPulse places it in the lower third of all scored frameworks, below Django (80), Rails (84), and Laravel (80), and well below modern alternatives like Astro (90) or FastAPI (95).

The 1,313 figure covers the Joomla core and its extension ecosystem. Like WordPress, Joomla's architecture depends on third-party extensions for functionality beyond basic content management. Unlike WordPress, the Joomla extension ecosystem has contracted significantly. Fewer active developers means fewer security patches. Extensions that were last updated in 2019 still run in production on sites that have no alternative — the extension's functionality is baked into the site's workflow, and no equivalent exists in the shrinking Joomla marketplace.

The Switching Cost Calculation

A typical Joomla-to-modern-framework migration for a mid-complexity site — 50-200 pages, custom templates, form integrations, user accounts — costs between $15,000 and $60,000, depending on the target framework and content complexity. For a municipality or regional hospital operating on fixed IT budgets, this is a capital expenditure that competes with every other technology priority. The Joomla site still works. The contact form still sends emails. The annual hosting and maintenance cost is $2,000-5,000. The migration cost is 3-12 years of maintenance cost, paid upfront.

This is rational economics — until a breach changes the equation. The average cost of a data breach for organizations with fewer than 500 employees reached $3.31 million in 2025 according to IBM's Cost of a Data Breach report. A single SQL injection through an unpatched Joomla extension converts the $15,000-60,000 migration cost into a rounding error on the incident response invoice. The switching cost exceeds the security cost right up until the moment it does not.

$15,000 - $60,000
Estimated Joomla migration cost (mid-complexity)
Source: Industry estimates based on WebPulse framework migration analysis (June 2026)
$3.31 million
Average data breach cost (< 500 employees)
Source: IBM Cost of a Data Breach Report (2025)

The Talent Drain

Joomla's developer community has contracted to the point where finding a qualified Joomla developer is itself a cost center. Stack Overflow's 2025 developer survey does not list Joomla as a distinct category. Job postings mentioning Joomla on major platforms have declined year over year since 2018. The developers who maintain Joomla sites in 2026 are increasingly generalist PHP contractors who treat Joomla as one of several legacy platforms they support — not specialists with deep framework knowledge.

This has a direct cost implication. When the one contractor who understands a Joomla site's custom extensions retires or moves on, the organization faces a choice between finding another contractor at increasing cost or migrating the site entirely. The talent dependency is a hidden liability that does not appear on any balance sheet but materializes predictably over time.

The Decision Window

Organizations running Joomla sites face a narrowing window. PHP version support cycles are shortening. Hosting providers are deprecating older PHP versions. The Joomla extension marketplace is contracting. Each year of continued operation reduces the pool of available migration expertise while increasing the urgency of the migration itself. The rational time to migrate is before a breach forces it — when the organization controls the timeline, the budget, and the architectural choices. The 352,042 sites still running Joomla represent organizations that have not yet made that decision. The data suggests the decision will eventually make itself.

Share this insight