Home

Description

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Joomla

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

1.0-2.26
affected

Credits

Matan Bahar finder

Niv Kochan finder

References

www.getk2.org/ product

cve.org (CVE-2026-48940)

nvd.nist.gov (CVE-2026-48940)

Download JSON