CVE-2026-48943
Received Received - Intake
Mass Assignment in K2 Joomla Plugin

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Joomla! Project

Description
K2 ≀ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table β€” none of which are exposed by the K2 frontend profile-edit form.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-48943
EUVD
EUVD-2026-39438
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joomla k2 to 2.24 (inc)
joomla plg_user_k2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in K2 version 2.24 and earlier, specifically in the K2 system user plugin called plg_user_k2. It is a mass-assignment defect that allows a registered Joomla user to manipulate certain fields in their own user record.

By including the field K2UserForm=1 in a standard profile.save POST request to com_users, the user can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users database table. These fields are not normally exposed or editable through the K2 frontend profile-edit form.

Impact Analysis

This vulnerability allows a registered user to modify hidden fields in their own user profile that are not normally accessible through the frontend interface.

Such unauthorized modifications could potentially be used to inject malicious data or alter user-related information in ways not intended by the application, which might lead to further exploitation depending on how these fields are used by the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart