Description
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Joomla user possessing K2 “create item” rights can submit an article whose embedVideo POST field contains a raw <script> tag. K2 stores that tag unchanged and renders it unescaped on the article page, causing any visitor’s browser to execute the contained script. This stored cross‑site scripting flaw enables an attacker to run arbitrary JavaScript in the browsers of all page visitors, leading to potential defacement, credential theft, or session hijacking.

Affected Systems

The vulnerability affects the K2 extension for Joomla hosted by getk2.com, specifically versions older than 2.26. No explicit version list is available, but any site running that extension before the patch is at risk. Joomla installations are commonly used by small to medium‑sized websites, so the reach of the flaw is broad.

Risk and Exploitability

The EPSS score is not provided and the flaw is not listed in CISA KEV, but the lack of input sanitization allows straightforward exploitation. An attacker only needs author‑level access to the Joomla backend to inject the malicious script, which is then executed automatically for every visitor. Because the attack occurs entirely via the web interface and no network‑level prerequisites exist, the risk is high for exposed sites.

Generated by OpenCVE AI on June 25, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the K2 extension to a version that removes the vulnerable feature or sanitizes the embedVideo input.
  • Disable or restrict the embedVideo field for untrusted authors and filter input to strip <script> tags.
  • Apply a server‑side content‑security‑policy that blocks inline scripts or <script> tags.

Generated by OpenCVE AI on June 25, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.getk2.org/ cve-icon
History

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Title Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
Weaknesses CWE-79
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-25T15:26:27.174Z

Reserved: 2026-05-26T16:47:13.550Z

Link: CVE-2026-48940

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')