CVE-2026-48943 | K2 ≤ 2.24 contains a mass-assignment defect in the K2 system… | CVSS 6.5 MEDIUM

Description

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.

Metadata

CVE ID: CVE-2026-48943
State: PUBLISHED
Assigner: Joomla
Reserved: 2026-05-26 16:47 UTC
Published: 2026-06-25 15:22 UTC
Last updated: 2026-06-25 18:46 UTC
Primary CWE: CWE-915
CWE-915 Improperly Controlled Modification of Dynamically-De…
Vendor / Product: getk2.com / K2 extension for Joomla
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
getk2.com	K2 extension for Joomla	—	1.0-2.26

Weakness (CWE)

CWE	Source	Description
CWE-915	cna	CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (1)

https://www.getk2.org/