CVE Catalog

CVE-2026-48941

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in the K2 component for Joomla! allows an unauthenticated attacker to delete arbitrary directories via the `sigProFolder` parameter in the `item.checkin` task. The attacker can exploit this flaw to remove gallery directories under `/media/k2/galleries/`.

Risk Assessment

The risk involves remote deletion of gallery directories without authentication, potentially leading to data loss, site disruption, or further attack escalation.

Recommendation

Immediately update the K2 component to the latest version containing the fix. Until then, disable the `item.checkin` task or apply WAF rules to block dangerous parameters.

Original NVD description (English source)

The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

Vulnerability data from NVD (NIST) · CISA KEV · EPSS