{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23900", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "state": "PUBLISHED", "assignerShortName": "Joomla", "dateReserved": "2026-01-17T04:38:44.009Z", "datePublished": "2026-04-11T12:52:12.525Z", "dateUpdated": "2026-04-14T05:14:12.556Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "com_phocymaps", "product": "phoca.cz - Phoca Maps for Joomla", "vendor": "phoca.cz", "versions": [{"status": "affected", "version": "5.0.0-6.0.2"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Felipe Monteiro"}, {"lang": "en", "type": "finder", "value": "Leandro Vallim"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered."}], "value": "Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-14T05:14:12.556Z"}, "references": [{"tags": ["product"], "url": "https://phoca.cz/"}], "source": {"discovery": "UNKNOWN"}, "title": "Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:42:46.000763Z", "id": "CVE-2026-23900", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:43:10.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23900", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:42:46.000763Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:43:05.015Z"}}], "cna": {"title": "Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Felipe Monteiro"}, {"lang": "en", "type": "finder", "value": "Leandro Vallim"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting"}]}], "affected": [{"vendor": "phoca.cz", "product": "phoca.cz - Phoca Maps for Joomla", "versions": [{"status": "affected", "version": "5.0.0-6.0.2"}], "packageName": "com_phocymaps", "defaultStatus": "unaffected"}], "references": [{"url": "https://phoca.cz/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.", "supportingMedia": [{"type": "text/html", "value": "Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-04-14T05:14:12.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23900", "state": "PUBLISHED", "dateUpdated": "2026-04-14T05:14:12.556Z", "dateReserved": "2026-01-17T04:38:44.009Z", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "datePublished": "2026-04-11T12:52:12.525Z", "assignerShortName": "Joomla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phoca:maps:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3DDBEAE-CA23-451C-817D-2C85AF9D639C", "versionEndIncluding": "6.0.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered."}], "id": "CVE-2026-23900", "lastModified": "2026-04-17T16:15:57.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-11T14:16:03.377", "references": [{"source": "security@joomla.org", "tags": ["Product"], "url": "https://phoca.cz/"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@joomla.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "phoca.cz - Phoca Maps for Joomla", "source": "cna", "vendor": "phoca.cz"}, "product": "phoca.cz_-_phoca_maps_for_joomla", "vendor": "phoca.cz"}], "analysis": {"en": {"generated_at": "2026-04-13T19:37:33.127964+00:00", "value": {"mitigation_remediation": ["Upgrade Phoca Maps to at least version 6.0.3 or later.", "If an upgrade is not immediately possible, restrict map editing permissions to trusted administrators.", "Sanitize all map and icon input fields to prevent script injection.", "Monitor map content for unexpected script tags and review any suspicious entries."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Phoca Maps for Joomla versions 5.0.0 through 6.0.2 from phoca.cz are affected. The problem exists in the maps and icon rendering modules, where user\u2011supplied content is not properly escaped.", "description_and_impact": "The vulnerability allows an attacker to store malicious script code in the maps\u2011 or icon rendering logic of Phoca Maps for Joomla. When another user views the affected map, the script is executed in that user\u2019s browser. This can lead to theft of session cookies, credential hijacking, or the injection of further malware. The weakness corresponds to CWE\u201179, indicating Cross\u2011Site Scripting.", "risk_and_exploitability": "The CVSS score is 6.5, placing it in the medium severity range. The EPSS score is below 1%, suggesting a low probability that the vulnerability will be actively exploited. It is not currently listed in CISA\u2019s KEV catalog. The likely attack vector is through the web interface, where an attacker can inject script into map or icon fields that are later rendered for all visitors. Successful exploitation requires that the attacker be able to add or edit map content, which may be restricted to authenticated users with editing privileges."}}}}, "created": "2026-04-13T12:41:51.867462+00:00", "updated": "2026-04-14T16:36:14.267676+00:00", "vendors": ["phoca.cz", "phoca.cz$PRODUCT$phoca.cz_-_phoca_maps_for_joomla"]}