CVE-2026-48943
Joomla Extension - getk2.com - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
| CWE | CWE-915 |
| Vendor | getk2.com |
| Product | k2 extension for joomla |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for getk2.com k2 extension for joomla
Be the first to know when new medium vulnerabilities affecting getk2.com k2 extension for joomla are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
getk2.com / K2 extension for Joomla
1.0-2.26
Credits
Matan Bahar Niv Kochan