PT-2026-52463 · Getk2.Com · K2 Extension For Joomla

Matan Bahar

+1

·

Published

2026-06-25

·

Updated

2026-06-25

·

CVE-2026-48940

CVSS v3.1

3.4

Low

VectorAV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose embedVideo POST field contains a raw <script> tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-48940

Affected Products

K2 Extension For Joomla