CVE Catalog

CVE-2026-48940

LowCVSS 3.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

A Joomla user with K2 'create item' rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

Risk Assessment

An attacker can inject malicious JavaScript code that executes in visitors' browsers, leading to session theft, redirects to malicious sites, or data theft.

Recommendation

Immediately update the K2 extension to the latest version that fixes the XSS vulnerability. Until the update, restrict article creation permissions to trusted users only.

Original NVD description (English source)

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS