CVE-2026-58148
ChronoEngine · ChronoForms extension for Joomla
The ChronoForms extension for Joomla, versions 1.0 through 8.0.52, contains an unauthenticated stored cross-site scripting (XSS) vulnerability.
Executive summary
An unauthenticated stored XSS vulnerability in the ChronoForms extension for Joomla creates a high risk of session hijacking and unauthorized administrative actions.
Vulnerability
This is a stored XSS vulnerability (CWE-79) that allows unauthenticated attackers to inject malicious scripts into web pages generated by the extension, which are then executed in the context of other users' browsers.
Business impact
With a CVSS score of 8.7, this vulnerability poses a significant risk to the security of the Joomla environment. Successful exploitation can lead to the theft of session cookies, account takeover, or the redirection of users to malicious websites, resulting in severe reputational and data security damage.
Remediation
Immediate Action: Check the ChronoEngine website for the latest security release and apply the update immediately.
Proactive Monitoring: Audit site logs for unusual script injections or unauthorized content modifications within form data fields.
Compensating Controls: Deploy a Web Application Firewall with robust XSS protection rules to sanitize incoming traffic and block malicious script payloads.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Due to the unauthenticated nature of this vulnerability, it is highly attractive to automated scanning tools. Users of the ChronoForms extension must treat this as a high-priority item and ensure their software is updated to a version that remediates this flaw.