Unauthenticated File Deletion in K2 Media Management by Joomla!
CVE-2026-48941

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48941?

The K2 media management system for Joomla! is susceptible to a vulnerability in the frontend item.checkin task, which allows unauthenticated users to pass a specially crafted sigProFolder query parameter. This can result in unauthorized access to the JFolder::delete() function, leading to potential file deletion within the /media/k2/galleries/ directory. It underscores the necessity of implementing strict validation on user input to safeguard against such exploitation.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48941 Data

JSON

Getk2.com

What is CVE-2026-48941?

Affected Version(s)

References

Timeline

Credit