CVE-2026-48941

CVE-2026-48941: Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26

Vendor Getk2.Org

Product K2 extension for Joomla

Weakness CWE-862 · Missing authorization

Published June 25, 2026

Last update June 28, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

Key dates

Disclosure timeline

June 25, 2026 CVE published

June 28, 2026 Record updated