Skip to main content

K2 for Joomla CVE-2026-48941

| EUVDEUVD-2026-39443 MEDIUM
Missing Authorization (CWE-862)
2026-06-25 Joomla GHSA-xfx4-jrpq-pvcp
6.5
CVSS 3.1 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Unauthenticated network deletion of gallery directories produces integrity and availability impact (I:L, A:L); no confidentiality exposure from a delete-only operation justifies C:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 21:40 vuln.today
CVSS changed
Jun 25, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 25, 2026 - 15:25 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 15:25 cve.org
MEDIUM 6.5

DescriptionCVE.org

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete() call under /media/k2/galleries/

AnalysisAI

Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing item.checkin task that accepts an unauthenticated sigProFolder query parameter and passes it directly to JFolder::delete() under /media/k2/galleries/, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public Joomla site running K2
Delivery
Send unauthenticated HTTP request to item.checkin task
Exploit
Inject target directory name via sigProFolder parameter
Execution
JFolder::delete() executes without authorization check
Impact
Gallery directory permanently removed from filesystem

Vulnerability AssessmentAI

Exploitation No authentication, session token, CSRF token, or user interaction is required; the `item.checkin` task is exposed on the public Joomla frontend and accepts unauthenticated HTTP requests by design in the affected versions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reflects unauthenticated, low-complexity network exploitation, but the A:N (no availability impact) metric appears inconsistent with the ability to irreversibly delete filesystem directories - loss of gallery content is an availability impact and should be at least A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP GET request such as `https://target-site.com/index.php?option=com_k2&task=item.checkin&sigProFolder=some_gallery_name` to any Joomla site running K2 1.0-2.26. The K2 frontend controller passes `some_gallery_name` directly to `JFolder::delete()`, silently removing the corresponding directory under `/media/k2/galleries/` with no credential or CSRF token check. …
Remediation Upgrade K2 to a release beyond version 2.26 once the vendor publishes a patched build at https://www.getk2.org/ - no exact patched version number is confirmed in the currently available references, so verify the official K2 changelog before deploying any update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy