HTML Injection Vulnerability in K2 by GetK2
CVE-2026-48942

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48942?

The K2 component versions up to 2.26 improperly render user images by injecting the #__k2_users.image column directly into HTML src attributes without proper escaping. This oversight can lead to potential exploitation via HTML injection, allowing attackers to execute malicious scripts in the context of a user's browser.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48942 Data

JSON

Getk2.com

What is CVE-2026-48942?

Affected Version(s)

References

Timeline

Credit