Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network injection (PR:N, AV:N) needing a victim to view the page (UI:R); scope changes to the victim's browser session (S:C) with high confidentiality but limited integrity and no availability impact.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS.
AnalysisAI
Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an unauthenticated attacker (PR:N) to reach a Helix Ultimate input surface that stores content later rendered into the template, and - critically - a victim must subsequently view the affected page for the stored script to execute (UI:P, passive user interaction). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.7 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, indicating a network-reachable, low-complexity, unauthenticated injection whose payload fires only when a victim views the content (user interaction required). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits crafted input containing a JavaScript payload to an unauthenticated Helix Ultimate input surface, where it is stored and later served within the site's template markup. When a site administrator or other privileged user opens the affected page, the script executes in their browser session, allowing the attacker to steal the session cookie or CSRF token and act as that user. … |
| Remediation | No vendor-released patch version is identified in the available data, so consult JoomShaper at https://www.joomshaper.com/joomla-templates/helixultimate for the latest Helix Ultimate release and upgrade to the newest version once a fix is published, verifying the changelog references CVE-2026-57829. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Joomla instances running JoomShaper Helix Ultimate and inventory Joomla versions; enable detailed logging for template modifications and failed security events. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43302
GHSA-6r9m-9724-qfvg