CVE-2025-50056

A reflected cross-site scripting (XSS) vulnerability exists in the RSMail! component for Joomla, affecting versions 1.19.20 through 1.22.26. The issue arises from insufficient sanitization of user-supplied input passed via a crafted parameter, allowing an attacker to inject arbitrary web script or HTML.

To exploit this, an attacker must trick a victim into clicking a maliciously crafted URL that includes the injected payload. No authentication is required on the part of the attacker, and the attack is carried out remotely. The vulnerability is reflected, meaning the payload is executed in the victim’s browser immediately upon request.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s session. This can lead to data theft, session hijacking, or defacement. Since RSMail! processes email forms, the attack surface may be expanded through crafted form submissions or link manipulation.

As of the publication date, the vendor has not released a patched version. Users are advised to apply input validation and output encoding manually or disable the component until an update is provided. The vendor’s site lists updates for other extensions, but no fix for this vulnerability has been announced [1].