1. Home
  2. CVE Database
  3. CVE-2026-48940
LOW · 3.4

CVE-2026-48940

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to...

Vulnerability Description

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.

CVSS Score

3.4

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
JoomlaworksK2<= 2.26

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2026-48940?

CVE-2026-48940 is a vulnerability with a CVSS score of 3.4 (LOW). A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to...

How severe is CVE-2026-48940?

CVE-2026-48940 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-48940?

Check the references section above for vendor advisories and patch information. Affected products include: Joomlaworks K2.