CVE-2026-48940 Joomlaworks CVE debrief

Who should care

Joomla users with K2 'create item' rights, administrators of Joomla sites using the K2 extension, and security teams monitoring for potential script injection attacks should be aware of this vulnerability. Although the CVSS score is low, the potential for script injection makes it important for those with relevant roles to take note and assess their exposure.

Technical summary

The vulnerability exists in the K2 extension for Joomla, specifically in how it handles user input in the embedVideo POST field. Users with 'create item' rights can inject raw <script> tags, which are stored and rendered unescaped on the article page. This could potentially allow for malicious script execution. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N, indicating a high level of complexity for exploitation but potential for confidentiality impact.

Defensive priority

Given the low CVSS score and the requirement for user interaction, the defensive priority is moderate. However, administrators should still take steps to mitigate the risk, especially if users with 'create item' rights are not trusted or if the site allows public submissions.

Recommended defensive actions

• Review and restrict user roles with 'create item' rights in the K2 extension.
• Implement additional input validation and sanitization for the embedVideo field.
• Monitor article submissions for suspicious activity.
• Consider upgrading to a version of K2 that may include a fix for this issue, if available.
• Educate users with 'create item' rights about the risks of script injection and the importance of proper content creation practices.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The source item URL offers additional context from the NVD database. The reference to https://www.getk2.org/ may provide further information about the K2 extension and potential mitigations.

Official resources