This vulnerability involves multiple stored cross-site scripting (CWE-79) issues in the Phoca Maps Joomla component versions 5.0.0 to 6.0.2. The flaws exist in the logic that renders maps and icons, where user input is not properly sanitized or neutralized before being included in web pages. This improper input handling can lead to persistent injection of malicious scripts that execute in the context of users visiting affected pages. The vulnerability was publicly disclosed on April 11, 2026, but no CVSS score or vendor remediation details are currently available.

Successful exploitation of these stored XSS vulnerabilities could allow attackers to execute arbitrary scripts in the browsers of users viewing affected pages. This may lead to session hijacking, defacement, or other malicious actions depending on the victim's privileges and the attacker's intent. However, no known exploits have been reported in the wild, and the exact impact depends on the deployment context of the vulnerable Phoca Maps component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting the use of the Phoca Maps component versions 5.0.0 to 6.0.2, or apply manual input sanitization if feasible. Monitoring the vendor's official channels for updates is recommended.