CVE Catalog

CVE-2026-48942

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

K2 version 2.26 and earlier renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

Risk Assessment

An attacker can inject malicious JavaScript or other content through the user image field, leading to XSS (Cross-Site Scripting) attacks and potential session theft or account takeover.

Recommendation

Immediately update the K2 plugin to a version newer than 2.26, which includes a fix preventing code injection through src attributes.

Original NVD description (English source)

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS