CVE-2026-48941
Received Received - Intake
Unauthenticated Path Traversal in K2 Media Gallery

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Joomla! Project

Description
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-48941
EUVD
EUVD-2026-39443
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
joomla k2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the K2 frontend's `item.checkin` task, which accepts an unauthenticated `sigProFolder` query parameter. This parameter is used directly in a call to `JFolder::delete()` targeting directories under `/media/k2/galleries/`. Because the parameter is unauthenticated and used directly, it may allow unauthorized deletion of folders.

Impact Analysis

This vulnerability can lead to unauthorized deletion of folders within the `/media/k2/galleries/` directory. Such deletion could result in loss of important media files or data, potentially disrupting website functionality or causing data loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart