CVE-2026-48941

Summary

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete() call under /media/k2/galleries/

Affected Software

VendorProductVersion RangeStatus
getk2.orgK2 extension for Joomla1.0-2.26affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorisation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References