Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
PR:L chosen over PR:H because Author-tier is a low-privilege CMS role; I:L added to reflect stored XSS enabling DOM manipulation in the victim's browser context.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose embedVideo POST field contains a raw <script> tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
AnalysisAI
Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Joomla account with K2 'create item' rights, which maps to the Author tier by default in K2 configurations - meaning any registered content contributor on multi-author Joomla sites qualifies. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS base score of 3.4 (Low) is primarily driven by PR:H (high privileges required), which understates realistic risk: in Joomla's user hierarchy, 'Author' is a low-privilege authenticated role routinely granted to content contributors, making PR:L a more accurate characterization and raising the practical exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a Joomla account with K2 Author-tier 'create item' rights and submits a new K2 article with the embedVideo field set to a script tag containing a cookie-harvesting or credential-phishing payload. The malicious article is published (or awaits editorial review), and any visitor - including site administrators - who loads the article page triggers execution of the injected script in their browser, potentially exposing session tokens or enabling account takeover. … |
| Remediation | No vendor-released patched version has been independently confirmed in the available intelligence; the only reference pointing to the vendor is the homepage https://www.getk2.org/, which should be consulted for any updated K2 release addressing this CVE. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in K2 Extension For Joomla
View allPath traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-rea
Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438)
Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.ch
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achie
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts i
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39445
GHSA-4gq9-7rp6-9749