Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Unauthenticated network deletion of gallery directories produces integrity and availability impact (I:L, A:L); no confidentiality exposure from a delete-only operation justifies C:N.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete() call under /media/k2/galleries/
AnalysisAI
Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing item.checkin task that accepts an unauthenticated sigProFolder query parameter and passes it directly to JFolder::delete() under /media/k2/galleries/, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication, session token, CSRF token, or user interaction is required; the `item.checkin` task is exposed on the public Joomla frontend and accepts unauthenticated HTTP requests by design in the affected versions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reflects unauthenticated, low-complexity network exploitation, but the A:N (no availability impact) metric appears inconsistent with the ability to irreversibly delete filesystem directories - loss of gallery content is an availability impact and should be at least A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP GET request such as `https://target-site.com/index.php?option=com_k2&task=item.checkin&sigProFolder=some_gallery_name` to any Joomla site running K2 1.0-2.26. The K2 frontend controller passes `some_gallery_name` directly to `JFolder::delete()`, silently removing the corresponding directory under `/media/k2/galleries/` with no credential or CSRF token check. … |
| Remediation | Upgrade K2 to a release beyond version 2.26 once the vendor publishes a patched build at https://www.getk2.org/ - no exact patched version number is confirmed in the currently available references, so verify the official K2 changelog before deploying any update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in K2 Extension For Joomla
View allPath traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-rea
Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438)
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achie
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts i
Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to i
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39443
GHSA-xfx4-jrpq-pvcp