CVE-2026-48940
LowCVSS 3.4Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A Joomla user with K2 'create item' rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Risk Assessment
An attacker can inject malicious JavaScript code that executes in visitors' browsers, leading to session theft, redirects to malicious sites, or data theft.
Recommendation
Immediately update the K2 extension to the latest version that fixes the XSS vulnerability. Until the update, restrict article creation permissions to trusted users only.
Original NVD description (English source)
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

