Skip to main content

K2 Extension CVE-2026-48943

| EUVDEUVD-2026-39438 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-25 Joomla GHSA-x6c6-vg4w-8r3r
6.5
CVSS 3.1 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Requires a registered Joomla account (PR:L, not PR:N); network-based HTTP POST with no complexity; limited integrity write to own row and partial confidentiality via hidden field exposure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 25, 2026 - 21:40 vuln.today
CVSS changed
Jun 25, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 25, 2026 - 15:22 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table - none of which are exposed by the K2 frontend profile-edit form.

AnalysisAI

Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain valid Joomla user account
Delivery
Identify target site with K2 plg_user_k2 plugin enabled
Exploit
Intercept standard profile.save POST request
Execution
Inject K2UserForm=1 and arbitrary column values into POST body
Persist
Submit request to com_users endpoint
Impact
Attacker-controlled data persisted to notes, image, or plugins columns in #__k2_users

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active registered Joomla user account on the target site - any default registered role suffices; no elevated permissions are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment A critical discrepancy exists in the provided CVSS 3.1 vector: the assigned AV:N/AC:L/PR:N/UI:N implies unauthenticated exploitation, but the CVE description explicitly requires a registered Joomla user account - a PR:L scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free account on a Joomla site running K2, then manually appends K2UserForm=1 along with arbitrary values for the notes, image, or plugins parameters to the standard profile.save HTTP POST request using a browser's developer tools or an intercepting proxy such as Burp Suite. Because plg_user_k2 does not validate the allowable column set before writing, the injected values are persisted directly into the attacker's row in #__k2_users; no public proof-of-concept code is known at time of analysis, but the attack requires only basic HTTP manipulation and is independently reproducible from the CVE description alone.
Remediation No specific patched version has been confirmed in the available references; the vendor site at https://www.getk2.org/ should be consulted immediately for an official advisory and upgrade path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy