Description
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Published: 2026-06-25
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Joomla user possessing K2 “create item” rights can submit an article whose embedVideo POST field contains a raw <script> tag. K2 stores that tag unchanged and renders it unescaped on the article page, causing any visitor’s browser to execute the contained script. This stored cross‑site scripting flaw enables an attacker to run arbitrary JavaScript in the browsers of all page visitors, leading to potential defacement, credential theft, or session hijacking.

Affected Systems

The vulnerability affects the K2 extension for Joomla hosted by getk2.com, specifically versions older than 2.26. No explicit version list is available, but any site running that extension before the patch is at risk. Joomla installations are commonly used by small to medium‑sized websites, so the reach of the flaw is broad.

Risk and Exploitability

The EPSS score is not provided and the flaw is not listed in CISA KEV, but the lack of input sanitization allows straightforward exploitation. The CVSS score of 3.4 indicates moderate severity. An attacker only needs author‑level access to the Joomla backend to inject the malicious script, which is then executed automatically for every visitor. Because the attack occurs entirely via the web interface and no network‑level prerequisites exist, the risk is high for exposed sites.

Generated by OpenCVE AI on June 25, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest K2 extension update (v2.26 or newer) which sanitizes the embedVideo field.
  • If an immediate update is not possible, prevent author‑level users from posting using the embedVideo field, or remove the embedVideo field entirely from the article submission form.
  • Deploy a Content Security Policy that restricts inline JavaScript execution for the Joomla site to mitigate the impact of any remaining XSS.

Generated by OpenCVE AI on June 25, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.getk2.org/ cve-icon
History

Sun, 28 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getk2
Getk2 k2 Extension For Joomla
Vendors & Products Getk2
Getk2 k2 Extension For Joomla

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Title Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
Weaknesses CWE-79
References

Subscriptions

Getk2 K2 Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-28T18:38:46.748Z

Reserved: 2026-05-26T16:47:13.550Z

Link: CVE-2026-48940

cve-icon Vulnrichment

Updated: 2026-06-25T18:47:01.438Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:57Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')