CVE-2026-58148
Received Received - Intake

Unauthenticated Stored XSS in ChronoForms Joomla Extension

Vulnerability report for CVE-2026-58148, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Joomla! Project

Description

The Joomla extension ChronoForms is vulnerable to an unauthenticated stored XSS vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
joomla chronoforms *
chronoengine chronoforms *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Joomla extension ChronoForms has an unauthenticated stored cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts into the application that are stored on the server and executed when other users access the affected pages.

Impact Analysis

An attacker could steal user sessions, deface websites, or deliver malware to visitors. Since it is stored, the impact persists until the malicious script is removed. Users with admin access could be particularly targeted.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating GDPR's integrity and confidentiality requirements. For HIPAA, it may compromise protected health information if forms handle such data.

Mitigation Strategies

Update the ChronoForms extension to the latest patched version immediately. Disable the extension if no patch is available. Monitor network traffic for unusual XSS-related activities and restrict form submissions to trusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart