Description
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Published: 2026-04-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to store malicious script code in the maps‑ or icon rendering logic of Phoca Maps for Joomla. When another user views the affected map, the script is executed in that user’s browser. This can lead to theft of session cookies, credential hijacking, or the injection of further malware. The weakness corresponds to CWE‑79, indicating Cross‑Site Scripting.

Affected Systems

Phoca Maps for Joomla versions 5.0.0 through 6.0.2 from phoca.cz are affected. The problem exists in the maps and icon rendering modules, where user‑supplied content is not properly escaped.

Risk and Exploitability

The CVSS score is 6.5, placing it in the medium severity range. The EPSS score is below 1%, suggesting a low probability that the vulnerability will be actively exploited. It is not currently listed in CISA’s KEV catalog. The likely attack vector is through the web interface, where an attacker can inject script into map or icon fields that are later rendered for all visitors. Successful exploitation requires that the attacker be able to add or edit map content, which may be restricted to authenticated users with editing privileges.

Generated by OpenCVE AI on April 13, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Phoca Maps to at least version 6.0.3 or later.
  • If an upgrade is not immediately possible, restrict map editing permissions to trusted administrators.
  • Sanitize all map and icon input fields to prevent script injection.
  • Monitor map content for unexpected script tags and review any suspicious entries.

Generated by OpenCVE AI on April 13, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://phoca.cz/ cve-icon cve-icon
History

Fri, 17 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Phoca
Phoca maps
CPEs cpe:2.3:a:phoca:maps:*:*:*:*:*:*:*:*
Vendors & Products Phoca
Phoca maps

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Phoca.cz
Phoca.cz phoca.cz - Phoca Maps For Joomla
Vendors & Products Phoca.cz
Phoca.cz phoca.cz - Phoca Maps For Joomla

Sat, 11 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Title Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla
Weaknesses CWE-79
References

Subscriptions

Phoca Maps
Phoca.cz Phoca.cz - Phoca Maps For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-04-14T05:14:12.556Z

Reserved: 2026-01-17T04:38:44.009Z

Link: CVE-2026-23900

cve-icon Vulnrichment

Updated: 2026-04-13T17:43:05.015Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T14:16:03.377

Modified: 2026-04-17T16:15:57.593

Link: CVE-2026-23900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:14Z

Weaknesses