Important Security Update: Stored XSS Vulnerability Patched in ChronoForms (CVE-2026-58148)

At ChronoEngine, keeping your websites secure and stable is our highest priority. As part of our continuous internal code auditing and security tracking, we have identified and patched a Stored Cross-Site Scripting (XSS) vulnerability in older versions of ChronoForms (versions 1.0 through 8.0.52).

This issue has been completely fixed in ChronoForms version 8.0.53. We highly recommend that all users update their installations immediately.

The Specific Conditions Required for This Exploit

This vulnerability cannot be triggered on a standard text field, and it does not affect all forms. For an exploit to be possible, a very specific set of conditions must be met simultaneously:

  • Multi-Value Fields Only: The vulnerability only occurs if your form contains a multi-value field—specifically a Checkboxes Group or a Multi-Selection Dropdown Menu.
  • Form Logs Enabled: The issue only triggers if you have explicitly turned on the Form Logs feature for that specific form to save user submissions directly into your database.
  • The Attack Vector: A malicious actor submits a form containing harmful script commands hidden inside one of those multi-value checkbox or dropdown choices.
  • The Activation Trigger: The attack may only take place when a website administrator logs into the backend and actively tries to view or read that specific infected log item inside the administration panel.

How to Protect Your Website Right Now

Because the vulnerability requires an administrator to view the corrupted submission entry to execute, keeping your backend software up to date stops the risk in its tracks.

  1. Update Immediately: Log into your Joomla backend, navigate to your extension manager, and update ChronoForms to v8.0.53 or higher.
  2. Alternative Download: You can also grab the latest clean package files directly by logging into your account dashboard on ChronoEngine.com.

Thank you for your ongoing support and trust as we continue working to keep ChronoForms a reliable and secure tool for your websites.

Comments