Vulnerability Details CVE-2026-48940
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.3%
CVSS Severity
CVSS v3 Score 3.4
References
Products affected by CVE-2026-48940
-
cpe:2.3:a:joomlaworks:k2:-
-
cpe:2.3:a:joomlaworks:k2:2.10.1
-
cpe:2.3:a:joomlaworks:k2:2.13
-
cpe:2.3:a:joomlaworks:k2:2.14
-
cpe:2.3:a:joomlaworks:k2:2.15
-
cpe:2.3:a:joomlaworks:k2:2.16
-
cpe:2.3:a:joomlaworks:k2:2.17
-
cpe:2.3:a:joomlaworks:k2:2.18
-
cpe:2.3:a:joomlaworks:k2:2.19
-
cpe:2.3:a:joomlaworks:k2:2.20
-
cpe:2.3:a:joomlaworks:k2:2.21
-
cpe:2.3:a:joomlaworks:k2:2.22
-
cpe:2.3:a:joomlaworks:k2:2.23
-
cpe:2.3:a:joomlaworks:k2:2.24
-
cpe:2.3:a:joomlaworks:k2:2.25
-
cpe:2.3:a:joomlaworks:k2:2.26
-
cpe:2.3:a:joomlaworks:k2:2.8.0