CVE-2026-48943

Summary

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table — none of which are exposed by the K2 frontend profile-edit form.

Affected Software

VendorProductVersion RangeStatus
getk2.orgK2 extension for Joomla1.0-2.26affected

Weaknesses

  • CWE-915: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References