The K2 extension for Joomla versions 2.26 and earlier injects the content of the #__k2_users.image database column straight into HTML src attributes in two separate template files. Because the data is not HTML‑escaped, an attacker able to set a malicious URL in this field can embed arbitrary HTML or JavaScript into the rendered page. The vulnerability is a classic Stored‑XSS flaw (CWE‑79) that can lead to session hijacking, defacement, or the delivery of malware to site visitors. The impact is limited to users who view the affected pages, but the effect can be widespread if the site has many visitors.

Joomla sites running the getk2.com K2 extension version 2.26 or older are affected. The vulnerability exists in all installations of that extension where the image field is populated by an untrusted source. No other products or versions are listed.

The CVSS score of 6.1 indicates a Medium risk, and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. Because the flaw is a classic Stored‑XSS, it can be exploited by any user who can upload a malicious image URL. The lack of a publicized exploit does not diminish the risk; the vulnerability remains viable as long as the affected extension version is in use. The potential impact on confidentiality and integrity is moderate, but the lack of defensive controls and the ability for an attacker to inject code into the client side present a non‑negligible threat to the site’s visitors.