K2 Extension For Joomla
Monthly
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.
Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation as none with partial technical impact.
Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.
Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. The plugins column exposure warrants particular scrutiny, as it may influence per-user K2 component behavior in ways beyond simple data tampering.
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.
Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation as none with partial technical impact.
Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.
Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. The plugins column exposure warrants particular scrutiny, as it may influence per-user K2 component behavior in ways beyond simple data tampering.