CVE-2026-48941 PUBLISHED

Joomla Extension - getk2.com - Unauthenticated folder delete in K2 extension for Joomla < 2.26

Assigner: Joomla
Reserved: 26.05.2026 Published: 25.06.2026 Updated: 25.06.2026

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete() call under /media/k2/galleries/

Product Status

Vendor	getk2.com
Product	K2 extension for Joomla
Versions	Default: unaffected Version 1.0-2.26 is affected

Credits

Matan Bahar finder

References

https://www.getk2.org/

Problem Types

CWE-862 Missing Authorisation CWE