Skip to main content

Phoca Cz Phoca Maps For Joomla CVE-2026-23900

| EUVDEUVD-2026-21678 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-11 Joomla
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 12:46 vuln.today
CVSS changed
Apr 13, 2026 - 18:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 11, 2026 - 13:30 euvd
EUVD-2026-21678
Analysis Generated
Apr 11, 2026 - 13:30 vuln.today
CVE Published
Apr 11, 2026 - 12:52 nvd
MEDIUM 6.5

DescriptionCVE.org

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

AnalysisAI

Stored XSS vulnerabilities in Phoca Maps for Joomla 5.0.0-6.0.2 allow unauthenticated remote attackers to inject and execute arbitrary JavaScript in map and icon rendering logic, potentially compromising user sessions and stealing sensitive data. CVSS 6.5 reflects network accessibility and information disclosure risk, though EPSS (0.03%) suggests low current exploitation likelihood. The vulnerability requires no authentication or user interaction to inject payloads, but stored nature means victims are affected upon viewing contaminated maps.

Technical ContextAI

Phoca Maps is a Joomla component providing map and icon rendering functionality within the Joomla content management system. The vulnerability resides in insufficient input sanitization or output encoding in the maps and icon rendering subsystems, allowing attackers to bypass client-side or server-side XSS protections (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected component processes user-supplied data without adequate HTML entity encoding or content security policy enforcement, permitting injected script payloads to persist in the database and execute in the context of other users' browsers when the contaminated map or icon is rendered.

RemediationAI

Update Phoca Maps component to version 6.0.3 or later when released by phoca.cz. Until a patched version is available, restrict map creation and editing permissions to trusted administrators only, implement a Web Application Firewall (WAF) rule blocking JavaScript payloads in map data fields, and apply Joomla's native Content Security Policy headers to mitigate XSS impact. Review existing maps for injected scripts and sanitize any suspicious content. Monitor phoca.cz project repository and Joomla security advisories for patch availability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23900 and https://vuldb.com/vuln/356982.

Share

CVE-2026-23900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy