CVE-2026-48943 - Joomla Extension - getk2.com - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
CVE ID :CVE-2026-48943
Published : June 25, 2026, 3:22 p.m. | 1 hour, 18 minutes ago
Description :K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : June 25, 2026, 3:22 p.m. | 1 hour, 18 minutes ago
Description :K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...