CVE-2026-48942 PUBLISHED

Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26

Assigner: Joomla
Reserved: 26.05.2026 Published: 25.06.2026 Updated: 25.06.2026

K2 ≤ 2.26 renders the #__k2_users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping.

Product Status

Vendor getk2.com
Product K2 extension for Joomla
Versions Default: unaffected
  • Version 1.0-2.26 is affected

Credits

  • Matan Bahar finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE