CVE-2026-48940 PUBLISHED

Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26

Assigner: Joomla
Reserved: 26.05.2026 Published: 25.06.2026 Updated: 25.06.2026

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose embedVideo POST field contains a raw <script> tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

Product Status

Vendor	getk2.com
Product	K2 extension for Joomla
Versions	Default: unaffected Version 1.0-2.26 is affected

Credits

Matan Bahar finder

References

https://www.getk2.org/

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE