CyberCheatsheets

JoomScan Cheat Sheet

Joomla CMS vulnerability scanner and version or component enumerator.

Web Application SecuritycmsenumerationjoomlaUpdated 2026-06-02

Overview

JoomScan detects Joomla version, components, templates, and known issues. Use on authorized Joomla sites during CMS-focused assessments.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y joomscan

or

git clone https://github.com/OWASP/joomscan.git
cd joomscan && perl joomscan.pl

Essential commands

Basic scan

joomscan -u https://target.example

Enumerate components

joomscan -u https://target.example --enumerate-components

Common workflows

Version and vulnerability check —

joomscan -u https://target.example -ec -eb
joomscan -u https://target.example --enumerate-components -o joom_report.txt

User enumeration —

joomscan -u https://target.example --enumerate-users

Proxy through Burp —

joomscan -u https://target.example --proxy http://127.0.0.1:8080

Flags reference

-u URL

Target Joomla URL

-ec

Enumerate components

-eb

Enumerate backups

-et

Enumerate templates

--enumerate-users

User discovery

--proxy

HTTP proxy

-o

Output file

--random-agent

Random User-Agent

-t

Threads / timeout (version dependent)

Tips

  • Confirm the site is Joomla (generator meta, /administrator/) before relying on results.
  • Cross-check component versions with Exploit-DB and manual PoC validation.
  • Backup file enumeration (-eb) can expose .zip archives—handle findings per disclosure policy.

References

Related cheat sheets