Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
AnalysisAI
Stored XSS vulnerabilities in Phoca Maps for Joomla 5.0.0-6.0.2 allow unauthenticated remote attackers to inject and execute arbitrary JavaScript in map and icon rendering logic, potentially compromising user sessions and stealing sensitive data. CVSS 6.5 reflects network accessibility and information disclosure risk, though EPSS (0.03%) suggests low current exploitation likelihood. The vulnerability requires no authentication or user interaction to inject payloads, but stored nature means victims are affected upon viewing contaminated maps.
Technical ContextAI
Phoca Maps is a Joomla component providing map and icon rendering functionality within the Joomla content management system. The vulnerability resides in insufficient input sanitization or output encoding in the maps and icon rendering subsystems, allowing attackers to bypass client-side or server-side XSS protections (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected component processes user-supplied data without adequate HTML entity encoding or content security policy enforcement, permitting injected script payloads to persist in the database and execute in the context of other users' browsers when the contaminated map or icon is rendered.
RemediationAI
Update Phoca Maps component to version 6.0.3 or later when released by phoca.cz. Until a patched version is available, restrict map creation and editing permissions to trusted administrators only, implement a Web Application Firewall (WAF) rule blocking JavaScript payloads in map data fields, and apply Joomla's native Content Security Policy headers to mitigate XSS impact. Review existing maps for injected scripts and sanitize any suspicious content. Monitor phoca.cz project repository and Joomla security advisories for patch availability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23900 and https://vuldb.com/vuln/356982.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21678