Platform
joomla
Component
phoca_maps
Fixed in
5.0.1
CVE-2026-23900 represents a collection of stored Cross-Site Scripting (XSS) vulnerabilities found within the maps and icon rendering processes of the Phoca Maps component for Joomla. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to session hijacking or defacement. This vulnerability affects versions 5.0.0 through 6.0.2 of the Phoca Maps component. No official patch is currently available.
CVE-2026-23900 affects Phoca Maps for Joomla versions 5.0.0 through 6.0.2, exposing websites to multiple stored Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities reside within the map and icon rendering logic, allowing an attacker to inject malicious code that executes in the browser of other users. The impact can range from cookie and session theft to redirection to malicious websites or modification of page content. The severity of the vulnerability depends on the sensitivity of the information handled by the website and the level of access an attacker can obtain. The lack of a currently available fix exacerbates the risk, requiring immediate preventative measures.
An attacker could exploit these stored XSS vulnerabilities by injecting malicious code through forms, input fields, or any other point where users can provide data used to generate maps or icons. Once the malicious code is stored, it will trigger when another user accesses the page containing the malicious content. This could occur, for example, when loading a map with a custom marker containing XSS code. The lack of validation and sanitization of user inputs allows attackers to bypass standard defenses and execute arbitrary code in the context of the target user.
Exploit Status
EPSS
0.04% (11% percentile)
As there is no official fix available for CVE-2026-23900, mitigation focuses on preventative measures. We strongly recommend updating to the latest available version of Phoca Maps as soon as it becomes available. In the meantime, implementing robust input filtering to sanitize user-provided data used in map and icon generation is suggested. Applying Content Security Policies (CSP) to restrict script sources executable on the website is also recommended. Actively monitoring the website for suspicious activity and limiting access to Phoca Maps functionality to authorized users are also crucial steps.
Actualice el componente Phoca Maps a una versión posterior a 6.0.2 para mitigar las vulnerabilidades XSS. Consulte la documentación del proveedor en https://phoca.cz/ para obtener instrucciones detalladas sobre cómo actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
It means that the Phoca Maps developer has not yet released an update that patches this vulnerability. This requires alternative mitigation measures.
Perform penetration testing or use vulnerability scanning tools to identify potential XSS entry points on your website.
CSP (Content Security Policy) is a security layer that allows you to define which content sources are allowed to load on a web page, reducing the risk of XSS.
Isolate the website, investigate the incident, remove any malicious code, and notify affected users.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.