CVE Catalog

CVE-2026-48943

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A mass-assignment vulnerability in K2 ≤ 2.24 exists in the `plg_user_k2` system user plugin. A registered Joomla user can, by including the `K2UserForm=1` field in a standard `com_users` `profile.save` POST request, write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table, which are not exposed by the K2 frontend profile-edit form.

Risk Assessment

The risk involves unauthorized modification of user data in the K2 table, potentially leading to privilege escalation, injection of malicious content, or data integrity compromise.

Recommendation

Immediately update K2 to a version newer than 2.24, which includes a fix for the mass-assignment vulnerability. If an update is not possible, temporarily disable the `plg_user_k2` plugin.

Original NVD description (English source)

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS