Mass-Assignment Vulnerability in K2 User Plugin for Joomla by Ecategory
CVE-2026-48943

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48943?

The K2 user plugin, version 2.24 and prior, has a mass-assignment vulnerability that allows registered Joomla users to manipulate their user profile data. By sending a specific post request with the parameter K2UserForm=1, users can modify values in the notes, image, and plugins columns of their records in the #__k2_users table, despite these fields being hidden in the frontend profile edit form. This flaw can potentially lead to unauthorized data exposure and compromise user account integrity.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48943 Data

JSON

Getk2.com

What is CVE-2026-48943?

Affected Version(s)

References

Timeline

Credit