CVE-2026-48940

CVE-2026-48940: Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

Vendor Getk2.Org

Product K2 extension for Joomla

Weakness CWE-79 · XSS

Published June 25, 2026

Last update June 28, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

Key dates

Disclosure timeline

June 25, 2026 CVE published

June 28, 2026 Record updated