Skip to main content

K2 for Joomla CVE-2026-48940

| EUVDEUVD-2026-39445 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Joomla GHSA-4gq9-7rp6-9749
3.4
CVSS 3.1 · Vendor: Joomla

Severity by source

Vendor (Joomla) PRIMARY
3.4 LOW
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
vuln.today AI
5.4 MEDIUM

PR:L chosen over PR:H because Author-tier is a low-privilege CMS role; I:L added to reflect stored XSS enabling DOM manipulation in the victim's browser context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 25, 2026 - 21:41 vuln.today
CVSS changed
Jun 25, 2026 - 19:22 NVD
3.4 (LOW)
CVE Published
Jun 25, 2026 - 15:26 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose embedVideo POST field contains a raw <script> tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

AnalysisAI

Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain K2 Author-tier Joomla account
Delivery
Submit article with script tag in embedVideo field
Exploit
Article published to site
Execution
Victim visits article page
Persist
Injected script executes in victim browser
Impact
Session token or credentials harvested

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Joomla account with K2 'create item' rights, which maps to the Author tier by default in K2 configurations - meaning any registered content contributor on multi-author Joomla sites qualifies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS base score of 3.4 (Low) is primarily driven by PR:H (high privileges required), which understates realistic risk: in Joomla's user hierarchy, 'Author' is a low-privilege authenticated role routinely granted to content contributors, making PR:L a more accurate characterization and raising the practical exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Joomla account with K2 Author-tier 'create item' rights and submits a new K2 article with the embedVideo field set to a script tag containing a cookie-harvesting or credential-phishing payload. The malicious article is published (or awaits editorial review), and any visitor - including site administrators - who loads the article page triggers execution of the injected script in their browser, potentially exposing session tokens or enabling account takeover. …
Remediation No vendor-released patched version has been independently confirmed in the available intelligence; the only reference pointing to the vendor is the homepage https://www.getk2.org/, which should be consulted for any updated K2 release addressing this CVE. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy