CVE Catalog
CVE-2026-48942
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk0.15%
4th percentile — higher than 4% of all known CVEs
Summary
K2 version 2.26 and earlier renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
Risk Assessment
An attacker can inject malicious JavaScript or other content through the user image field, leading to XSS (Cross-Site Scripting) attacks and potential session theft or account takeover.
Recommendation
Immediately update the K2 plugin to a version newer than 2.26, which includes a fix preventing code injection through src attributes.
Original NVD description (English source)
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

