Description
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The K2 frontend item.checkin task exposes an unauthenticated sigProFolder query parameter that is used directly as a target for JFolder::delete() under the /media/k2/galleries directory. When an attacker supplies a path value, the application deletes that folder and all its contents. Loss of media assets can break galleries, themes, or other site functionality, causing data loss and reduced availability.

Affected Systems

This vulnerability affects the K2 extension for Joomla provided by getk2.com, for all deployment versions earlier than 2.26. Any Joomla site that has the K2 extension installed with the item.checkin task enabled and the root directory set to /media/k2/galleries is at risk.

Risk and Exploitability

Because authentication is not required, an attacker can craft a simple HTTP request including a sigProFolder parameter pointing to any folder under /media/k2/galleries. The exploit is remotely feasible, requiring no privileged access, and the CVSS score of 6.5 indicates medium severity. The vulnerability is not listed in CISA’s KEV catalog and no EPSS score is available.

Generated by OpenCVE AI on June 25, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the K2 extension to version 2.26 or later to eliminate the unauthenticated delete capability
  • Restrict filesystem permissions so that the web server user cannot delete files in /media/k2/galleries
  • Apply a web-application firewall rule to block or throttle the item.checkin task for unauthenticated users

Generated by OpenCVE AI on June 25, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.getk2.org/ cve-icon
History

Sun, 28 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Joomla Extension - getk2.com - Unauthenticated folder delete in K2 extension for Joomla < 2.26 Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getk2
Getk2 k2 Extension For Joomla
Vendors & Products Getk2
Getk2 k2 Extension For Joomla

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
Title Joomla Extension - getk2.com - Unauthenticated folder delete in K2 extension for Joomla < 2.26
Weaknesses CWE-862
References

Subscriptions

Getk2 K2 Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-28T18:38:20.470Z

Reserved: 2026-05-26T16:47:13.550Z

Link: CVE-2026-48941

cve-icon Vulnrichment

Updated: 2026-06-25T18:50:43.926Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:00Z

Weaknesses