Vulnerability Details CVE-2026-48943
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 8.0%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-48943
-
cpe:2.3:a:joomlaworks:k2:-
-
cpe:2.3:a:joomlaworks:k2:2.10.1
-
cpe:2.3:a:joomlaworks:k2:2.13
-
cpe:2.3:a:joomlaworks:k2:2.14
-
cpe:2.3:a:joomlaworks:k2:2.15
-
cpe:2.3:a:joomlaworks:k2:2.16
-
cpe:2.3:a:joomlaworks:k2:2.17
-
cpe:2.3:a:joomlaworks:k2:2.18
-
cpe:2.3:a:joomlaworks:k2:2.19
-
cpe:2.3:a:joomlaworks:k2:2.20
-
cpe:2.3:a:joomlaworks:k2:2.21
-
cpe:2.3:a:joomlaworks:k2:2.22
-
cpe:2.3:a:joomlaworks:k2:2.23
-
cpe:2.3:a:joomlaworks:k2:2.24
-
cpe:2.3:a:joomlaworks:k2:2.25
-
cpe:2.3:a:joomlaworks:k2:2.26
-
cpe:2.3:a:joomlaworks:k2:2.8.0