Joomla Vulnerability in K2 Allows Script Injection for Authors
CVE-2026-48940

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48940?

A vulnerability exists in K2 for Joomla where an authenticated user with item creation permissions can inject malicious scripts via the 'embedVideo' POST field. The K2 plugin stores this script without escaping, allowing any visitor to execute the script when viewing the affected article page. This flaw poses significant risks, including potential data theft or site compromise.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48940 Data

JSON

Getk2.com

What is CVE-2026-48940?

Affected Version(s)

References

Timeline

Credit