CVE-2026-48941
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in the K2 component for Joomla! allows an unauthenticated attacker to delete arbitrary directories via the `sigProFolder` parameter in the `item.checkin` task. The attacker can exploit this flaw to remove gallery directories under `/media/k2/galleries/`.
Risk Assessment
The risk involves remote deletion of gallery directories without authentication, potentially leading to data loss, site disruption, or further attack escalation.
Recommendation
Immediately update the K2 component to the latest version containing the fix. Until then, disable the `item.checkin` task or apply WAF rules to block dangerous parameters.
Original NVD description (English source)
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

