Joomlaworks K2 vulnerabilities
10 known vulnerabilities affecting joomlaworks/k2.
Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH1MEDIUM6LOW1
Vulnerabilities
Page 1 of 1
CVE-2018-7482P2HIGHCVSS 7.5Exploitedv2.8.02018-02-28
CVE-2018-7482 [HIGH] CWE-22 CVE-2018-7482: The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing a
The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media&task=connector&cmd=file&target=l1_../configuration.php&download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disp
nvd
CVE-2019-19576P2CRITICALCVSS 9.8PoC≤ 2.10.12019-12-04
CVE-2019-19576 [CRITICAL] CWE-434 CVE-2019-19576: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 exte
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
nvd
CVE-2019-19634P3CRITICALCVSS 9.8≤ 2.10.12019-12-17
CVE-2019-19634 [CRITICAL] CVE-2019-19634: class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 ex
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
nvd
CVE-2026-48946P3MEDIUMCVSS 6.3≤ 2.262026-06-25
CVE-2026-48946 [MEDIUM] CWE-434 CVE-2026-48946: The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
nvd
CVE-2026-48944P3MEDIUMCVSS 6.5≤ 2.262026-06-25
CVE-2026-48944 [MEDIUM] CWE-22 CVE-2026-48944: The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concate
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../e
nvd
CVE-2026-48943P3MEDIUMCVSS 6.5≤ 2.262026-06-25
CVE-2026-48943 [MEDIUM] CWE-915 CVE-2026-48943: K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by t
nvd
CVE-2026-48941P3MEDIUMCVSS 6.5≤ 2.262026-06-25
CVE-2026-48941 [MEDIUM] CWE-862 CVE-2026-48941: The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and us
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
nvd
CVE-2026-48945P4MEDIUMCVSS 5.3≤ 2.262026-06-25
CVE-2026-48945 [MEDIUM] CWE-434 CVE-2026-48945: The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries//`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
nvd
CVE-2026-48942P4MEDIUMCVSS 6.1≤ 2.262026-06-25
CVE-2026-48942 [MEDIUM] CWE-79 CVE-2026-48942: K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinc
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
nvd
CVE-2026-48940P4LOWCVSS 3.4≤ 2.262026-06-25
CVE-2026-48940 [LOW] CWE-79 CVE-2026-48940: A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `emb
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
nvd