Search

Find a vulnerability

Search criteria

    24 vulnerabilities by joomlaworks

    CVE-2026-48946 (GCVE-0-2026-48946)

    Vulnerability from nvd – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:37
    VLAI
    Title
    Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T03:55:55.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
                }
              ],
              "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:37:50.059Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48946",
        "datePublished": "2026-06-25T15:25:28.947Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:37:50.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48945 (GCVE-0-2026-48945)

    Vulnerability from nvd – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:39
    VLAI
    Title
    Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
    Summary
    The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload via archive extraction
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:45:48.959013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:45:53.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
                }
              ],
              "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload via archive extraction",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:39:05.415Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48945",
        "datePublished": "2026-06-25T15:26:48.917Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:39:05.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48944 (GCVE-0-2026-48944)

    Vulnerability from nvd – Published: 2026-06-25 15:24 – Updated: 2026-06-28 18:37
    VLAI
    Title
    Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:42:56.836321Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:43:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
                }
              ],
              "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:37:04.294Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48944",
        "datePublished": "2026-06-25T15:24:45.138Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:37:04.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48943 (GCVE-0-2026-48943)

    Vulnerability from nvd – Published: 2026-06-25 15:22 – Updated: 2026-06-28 18:35
    VLAI
    Title
    Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
    Summary
    K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48943",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:46:02.531914Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:46:31.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
                }
              ],
              "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes \u2014 i.e. mass-assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:35:03.388Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48943",
        "datePublished": "2026-06-25T15:22:50.562Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:35:03.388Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48942 (GCVE-0-2026-48942)

    Vulnerability from nvd – Published: 2026-06-25 15:23 – Updated: 2026-06-28 18:29
    VLAI
    Title
    Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
    Summary
    K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:52:10.335054Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:52:26.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
                }
              ],
              "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:29:05.078Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48942",
        "datePublished": "2026-06-25T15:23:38.156Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:29:05.078Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48941 (GCVE-0-2026-48941)

    Vulnerability from nvd – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:38
    VLAI
    Title
    Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:51:08.132365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:51:16.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
                }
              ],
              "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorisation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:38:20.470Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48941",
        "datePublished": "2026-06-25T15:25:58.533Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:38:20.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48940 (GCVE-0-2026-48940)

    Vulnerability from nvd – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:38
    VLAI
    Title
    Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
    Summary
    A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.4,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:47:21.595982Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:47:31.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
                }
              ],
              "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:38:46.748Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48940",
        "datePublished": "2026-06-25T15:26:27.174Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:38:46.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2019-19634 (GCVE-0-2019-19634)

    Vulnerability from nvd – Published: 2019-12-17 17:11 – Updated: 2024-08-05 02:25
    VLAI
    Summary
    class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:25:12.269Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jra89/CVE-2019-19634"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-17T17:13:41.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jra89/CVE-2019-19634"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19634",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
                },
                {
                  "name": "https://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e",
                  "refsource": "MISC",
                  "url": "https://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
                },
                {
                  "name": "https://github.com/jra89/CVE-2019-19634",
                  "refsource": "MISC",
                  "url": "https://github.com/jra89/CVE-2019-19634"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19634",
        "datePublished": "2019-12-17T17:11:29.000Z",
        "dateReserved": "2019-12-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:25:12.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-19576 (GCVE-0-2019-19576)

    Vulnerability from nvd – Published: 2019-12-04 17:33 – Updated: 2024-08-05 02:16
    VLAI
    Summary
    class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:16:48.542Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.verot.net/php_class_upload.htm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.verot.net"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jra89/CVE-2019-19576"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/%40jra8908/cve-2019-19576-e9da712b779"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-06T17:06:09.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.verot.net/php_class_upload.htm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.verot.net"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jra89/CVE-2019-19576"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/%40jra8908/cve-2019-19576-e9da712b779"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19576",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.verot.net/php_class_upload.htm",
                  "refsource": "MISC",
                  "url": "https://www.verot.net/php_class_upload.htm"
                },
                {
                  "name": "https://www.verot.net",
                  "refsource": "MISC",
                  "url": "https://www.verot.net"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
                },
                {
                  "name": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124",
                  "refsource": "MISC",
                  "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
                },
                {
                  "name": "https://github.com/jra89/CVE-2019-19576",
                  "refsource": "MISC",
                  "url": "https://github.com/jra89/CVE-2019-19576"
                },
                {
                  "name": "https://medium.com/@jra8908/cve-2019-19576-e9da712b779",
                  "refsource": "MISC",
                  "url": "https://medium.com/@jra8908/cve-2019-19576-e9da712b779"
                },
                {
                  "name": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19576",
        "datePublished": "2019-12-04T17:33:34.000Z",
        "dateReserved": "2019-12-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:16:48.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-7482 (GCVE-0-2018-7482)

    Vulnerability from nvd – Published: 2018-02-28 07:00 – Updated: 2024-11-14 20:51 Disputed
    VLAI
    Summary
    The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media&task=connector&cmd=file&target=l1_../configuration.php&download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    References
    Date Public
    2018-02-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:31:03.557Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
              },
              {
                "name": "44188",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "https://exploit-db.com/exploits/44188"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-7482",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-24T15:57:19.214988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-14T20:51:45.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-02-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media\u0026task=connector\u0026cmd=file\u0026target=l1_../configuration.php\u0026download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-02T16:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
            },
            {
              "name": "44188",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "https://exploit-db.com/exploits/44188"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2018-7482",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media\u0026task=connector\u0026cmd=file\u0026target=l1_../configuration.php\u0026download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0",
                  "refsource": "MISC",
                  "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
                },
                {
                  "name": "44188",
                  "refsource": "EXPLOIT-DB",
                  "url": "https://exploit-db.com/exploits/44188"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-7482",
        "datePublished": "2018-02-28T07:00:00.000Z",
        "dateReserved": "2018-02-25T00:00:00.000Z",
        "dateUpdated": "2024-11-14T20:51:45.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2010-0696 (GCVE-0-2010-0696)

    Vulnerability from nvd – Published: 2010-02-23 18:00 – Updated: 2024-08-07 00:59
    VLAI
    Summary
    Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://osvdb.org/62331 vdb-entryx_refsource_OSVDB
    http://www.joomlaworks.gr/content/view/77/34/ x_refsource_CONFIRM
    http://www.exploit-db.com/exploits/11447 exploitx_refsource_EXPLOIT-DB
    http://www.securityfocus.com/bid/38238 vdb-entryx_refsource_BID
    http://secunia.com/advisories/38587 third-party-advisoryx_refsource_SECUNIA
    Date Public
    2010-02-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T00:59:38.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "62331",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://osvdb.org/62331"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.joomlaworks.gr/content/view/77/34/"
              },
              {
                "name": "11447",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/11447"
              },
              {
                "name": "38238",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/38238"
              },
              {
                "name": "38587",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/38587"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2010-02-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2010-06-17T09:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "62331",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://osvdb.org/62331"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.joomlaworks.gr/content/view/77/34/"
            },
            {
              "name": "11447",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/11447"
            },
            {
              "name": "38238",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/38238"
            },
            {
              "name": "38587",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/38587"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2010-0696",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "62331",
                  "refsource": "OSVDB",
                  "url": "http://osvdb.org/62331"
                },
                {
                  "name": "http://www.joomlaworks.gr/content/view/77/34/",
                  "refsource": "CONFIRM",
                  "url": "http://www.joomlaworks.gr/content/view/77/34/"
                },
                {
                  "name": "11447",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/11447"
                },
                {
                  "name": "38238",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/38238"
                },
                {
                  "name": "38587",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/38587"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2010-0696",
        "datePublished": "2010-02-23T18:00:00.000Z",
        "dateReserved": "2010-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-07T00:59:38.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-2395 (GCVE-0-2009-2395)

    Vulnerability from nvd – Published: 2009-07-09 16:00 – Updated: 2024-08-07 05:52
    VLAI
    Summary
    SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/35517 vdb-entryx_refsource_BID
    http://www.exploit-db.com/exploits/9030 exploitx_refsource_EXPLOIT-DB
    http://www.vupen.com/english/advisories/2009/1733 vdb-entryx_refsource_VUPEN
    Date Public
    2009-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T05:52:14.022Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "35517",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/35517"
              },
              {
                "name": "9030",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/9030"
              },
              {
                "name": "ADV-2009-1733",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/1733"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-18T12:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "35517",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/35517"
            },
            {
              "name": "9030",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/9030"
            },
            {
              "name": "ADV-2009-1733",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/1733"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-2395",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "35517",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/35517"
                },
                {
                  "name": "9030",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/9030"
                },
                {
                  "name": "ADV-2009-1733",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/1733"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-2395",
        "datePublished": "2009-07-09T16:00:00.000Z",
        "dateReserved": "2009-07-09T00:00:00.000Z",
        "dateUpdated": "2024-08-07T05:52:14.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-48945 (GCVE-0-2026-48945)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:39
    VLAI
    Title
    Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
    Summary
    The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload via archive extraction
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:45:48.959013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:45:53.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
                }
              ],
              "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload via archive extraction",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:39:05.415Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48945",
        "datePublished": "2026-06-25T15:26:48.917Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:39:05.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48940 (GCVE-0-2026-48940)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:38
    VLAI
    Title
    Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
    Summary
    A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.4,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:47:21.595982Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:47:31.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
                }
              ],
              "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:38:46.748Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48940",
        "datePublished": "2026-06-25T15:26:27.174Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:38:46.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48941 (GCVE-0-2026-48941)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:38
    VLAI
    Title
    Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:51:08.132365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:51:16.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
                }
              ],
              "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorisation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:38:20.470Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48941",
        "datePublished": "2026-06-25T15:25:58.533Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:38:20.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48946 (GCVE-0-2026-48946)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:37
    VLAI
    Title
    Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T03:55:55.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
                }
              ],
              "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:37:50.059Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48946",
        "datePublished": "2026-06-25T15:25:28.947Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:37:50.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48944 (GCVE-0-2026-48944)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:24 – Updated: 2026-06-28 18:37
    VLAI
    Title
    Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla < 2.26
    Summary
    The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:42:56.836321Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:43:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
                }
              ],
              "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:37:04.294Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48944",
        "datePublished": "2026-06-25T15:24:45.138Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:37:04.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48942 (GCVE-0-2026-48942)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:23 – Updated: 2026-06-28 18:29
    VLAI
    Title
    Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
    Summary
    K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:52:10.335054Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:52:26.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
                }
              ],
              "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:29:05.078Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48942",
        "datePublished": "2026-06-25T15:23:38.156Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:29:05.078Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48943 (GCVE-0-2026-48943)

    Vulnerability from cvelistv5 – Published: 2026-06-25 15:22 – Updated: 2026-06-28 18:35
    VLAI
    Title
    Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
    Summary
    K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment
    Assigner
    References
    URL Tags
    https://www.getk2.org/ product
    Impacted products
    Credits
    Matan Bahar Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48943",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:46:02.531914Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:46:31.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "K2 extension for Joomla",
              "vendor": "getk2.org",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0-2.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matan Bahar"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
                }
              ],
              "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes \u2014 i.e. mass-assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-28T18:35:03.388Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.getk2.org/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla \u003c 2.26",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48943",
        "datePublished": "2026-06-25T15:22:50.562Z",
        "dateReserved": "2026-05-26T16:47:13.550Z",
        "dateUpdated": "2026-06-28T18:35:03.388Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2019-19634 (GCVE-0-2019-19634)

    Vulnerability from cvelistv5 – Published: 2019-12-17 17:11 – Updated: 2024-08-05 02:25
    VLAI
    Summary
    class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:25:12.269Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jra89/CVE-2019-19634"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-17T17:13:41.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jra89/CVE-2019-19634"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19634",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068"
                },
                {
                  "name": "https://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e",
                  "refsource": "MISC",
                  "url": "https://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e"
                },
                {
                  "name": "https://github.com/jra89/CVE-2019-19634",
                  "refsource": "MISC",
                  "url": "https://github.com/jra89/CVE-2019-19634"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19634",
        "datePublished": "2019-12-17T17:11:29.000Z",
        "dateReserved": "2019-12-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:25:12.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-19576 (GCVE-0-2019-19576)

    Vulnerability from cvelistv5 – Published: 2019-12-04 17:33 – Updated: 2024-08-05 02:16
    VLAI
    Summary
    class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:16:48.542Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.verot.net/php_class_upload.htm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.verot.net"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jra89/CVE-2019-19576"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://medium.com/%40jra8908/cve-2019-19576-e9da712b779"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-06T17:06:09.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.verot.net/php_class_upload.htm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.verot.net"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jra89/CVE-2019-19576"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://medium.com/%40jra8908/cve-2019-19576-e9da712b779"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19576",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.verot.net/php_class_upload.htm",
                  "refsource": "MISC",
                  "url": "https://www.verot.net/php_class_upload.htm"
                },
                {
                  "name": "https://www.verot.net",
                  "refsource": "MISC",
                  "url": "https://www.verot.net"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3"
                },
                {
                  "name": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2",
                  "refsource": "MISC",
                  "url": "https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2"
                },
                {
                  "name": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124",
                  "refsource": "MISC",
                  "url": "https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124"
                },
                {
                  "name": "https://github.com/jra89/CVE-2019-19576",
                  "refsource": "MISC",
                  "url": "https://github.com/jra89/CVE-2019-19576"
                },
                {
                  "name": "https://medium.com/@jra8908/cve-2019-19576-e9da712b779",
                  "refsource": "MISC",
                  "url": "https://medium.com/@jra8908/cve-2019-19576-e9da712b779"
                },
                {
                  "name": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19576",
        "datePublished": "2019-12-04T17:33:34.000Z",
        "dateReserved": "2019-12-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:16:48.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-7482 (GCVE-0-2018-7482)

    Vulnerability from cvelistv5 – Published: 2018-02-28 07:00 – Updated: 2024-11-14 20:51 Disputed
    VLAI
    Summary
    The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media&task=connector&cmd=file&target=l1_../configuration.php&download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    References
    Date Public
    2018-02-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:31:03.557Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
              },
              {
                "name": "44188",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "https://exploit-db.com/exploits/44188"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-7482",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-24T15:57:19.214988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-14T20:51:45.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-02-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media\u0026task=connector\u0026cmd=file\u0026target=l1_../configuration.php\u0026download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-02T16:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
            },
            {
              "name": "44188",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "https://exploit-db.com/exploits/44188"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2018-7482",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media\u0026task=connector\u0026cmd=file\u0026target=l1_../configuration.php\u0026download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0",
                  "refsource": "MISC",
                  "url": "https://www.joomlaworks.net/forum/forum-updates-other-resources/49046-false-cve-report-on-k2-v2-8-0"
                },
                {
                  "name": "44188",
                  "refsource": "EXPLOIT-DB",
                  "url": "https://exploit-db.com/exploits/44188"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-7482",
        "datePublished": "2018-02-28T07:00:00.000Z",
        "dateReserved": "2018-02-25T00:00:00.000Z",
        "dateUpdated": "2024-11-14T20:51:45.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2010-0696 (GCVE-0-2010-0696)

    Vulnerability from cvelistv5 – Published: 2010-02-23 18:00 – Updated: 2024-08-07 00:59
    VLAI
    Summary
    Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://osvdb.org/62331 vdb-entryx_refsource_OSVDB
    http://www.joomlaworks.gr/content/view/77/34/ x_refsource_CONFIRM
    http://www.exploit-db.com/exploits/11447 exploitx_refsource_EXPLOIT-DB
    http://www.securityfocus.com/bid/38238 vdb-entryx_refsource_BID
    http://secunia.com/advisories/38587 third-party-advisoryx_refsource_SECUNIA
    Date Public
    2010-02-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T00:59:38.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "62331",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://osvdb.org/62331"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.joomlaworks.gr/content/view/77/34/"
              },
              {
                "name": "11447",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/11447"
              },
              {
                "name": "38238",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/38238"
              },
              {
                "name": "38587",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/38587"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2010-02-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2010-06-17T09:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "62331",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://osvdb.org/62331"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.joomlaworks.gr/content/view/77/34/"
            },
            {
              "name": "11447",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/11447"
            },
            {
              "name": "38238",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/38238"
            },
            {
              "name": "38587",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/38587"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2010-0696",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "62331",
                  "refsource": "OSVDB",
                  "url": "http://osvdb.org/62331"
                },
                {
                  "name": "http://www.joomlaworks.gr/content/view/77/34/",
                  "refsource": "CONFIRM",
                  "url": "http://www.joomlaworks.gr/content/view/77/34/"
                },
                {
                  "name": "11447",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/11447"
                },
                {
                  "name": "38238",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/38238"
                },
                {
                  "name": "38587",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/38587"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2010-0696",
        "datePublished": "2010-02-23T18:00:00.000Z",
        "dateReserved": "2010-02-23T00:00:00.000Z",
        "dateUpdated": "2024-08-07T00:59:38.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-2395 (GCVE-0-2009-2395)

    Vulnerability from cvelistv5 – Published: 2009-07-09 16:00 – Updated: 2024-08-07 05:52
    VLAI
    Summary
    SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/35517 vdb-entryx_refsource_BID
    http://www.exploit-db.com/exploits/9030 exploitx_refsource_EXPLOIT-DB
    http://www.vupen.com/english/advisories/2009/1733 vdb-entryx_refsource_VUPEN
    Date Public
    2009-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T05:52:14.022Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "35517",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/35517"
              },
              {
                "name": "9030",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/9030"
              },
              {
                "name": "ADV-2009-1733",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/1733"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-18T12:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "35517",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/35517"
            },
            {
              "name": "9030",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/9030"
            },
            {
              "name": "ADV-2009-1733",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/1733"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-2395",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "35517",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/35517"
                },
                {
                  "name": "9030",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/9030"
                },
                {
                  "name": "ADV-2009-1733",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/1733"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-2395",
        "datePublished": "2009-07-09T16:00:00.000Z",
        "dateReserved": "2009-07-09T00:00:00.000Z",
        "dateUpdated": "2024-08-07T05:52:14.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }