Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Requires a registered Joomla account (PR:L, not PR:N); network-based HTTP POST with no complexity; limited integrity write to own row and partial confidentiality via hidden field exposure.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table - none of which are exposed by the K2 frontend profile-edit form.
AnalysisAI
Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an active registered Joomla user account on the target site - any default registered role suffices; no elevated permissions are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | A critical discrepancy exists in the provided CVSS 3.1 vector: the assigned AV:N/AC:L/PR:N/UI:N implies unauthenticated exploitation, but the CVE description explicitly requires a registered Joomla user account - a PR:L scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free account on a Joomla site running K2, then manually appends K2UserForm=1 along with arbitrary values for the notes, image, or plugins parameters to the standard profile.save HTTP POST request using a browser's developer tools or an intercepting proxy such as Burp Suite. Because plg_user_k2 does not validate the allowable column set before writing, the injected values are persisted directly into the attacker's row in #__k2_users; no public proof-of-concept code is known at time of analysis, but the attack requires only basic HTTP manipulation and is independently reproducible from the CVE description alone. |
| Remediation | No specific patched version has been confirmed in the available references; the vendor site at https://www.getk2.org/ should be consulted immediately for an official advisory and upgrade path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in K2 Extension For Joomla
View allPath traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-rea
Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.ch
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achie
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts i
Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39438
GHSA-x6c6-vg4w-8r3r