CVE-2026-23900 PUBLISHED

Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla

Assigner: Joomla
Reserved: 17.01.2026 Published: 11.04.2026 Updated: 11.04.2026

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

Product Status

Vendor phoca.cz
Product phoca.cz - Phoca Maps for Joomla
Versions Default: unaffected
  • Version 5.0.0-6.0.2 is affected

Credits

  • Felipe Monteiro finder
  • Leandro Vallim finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

  • CAPEC-63 Cross-Site Scripting