21
I Use This!
Very Low Activity
Analyzed 1 day ago. based on code collected 2 days ago.
 

Security

Vulnerabilities per Version

Learn more about BDSAs
 
 

Major Versions

1yr
3yr
5yr
10yr
All
click and drag to zoom
 
 
Security Vulnerabilities for Version:
Severities:
Type
Identifier Related Record Severity Date Published Description Versions Affected
CVE-2026-48946 Medium Jun 25, 2026 The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes the more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48945 Medium Jun 25, 2026 The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries//`, and only renames image files (gif/jpg/jpeg/png more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48944 Medium Jun 25, 2026 The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48943 Medium Jun 25, 2026 K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48942 Medium Jun 25, 2026 K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48941 Medium Jun 25, 2026 The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` cal more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2026-48940 Low Jun 25, 2026 A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `` tag; K2 store more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2019-19634 Critical Dec 17, 2019 class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4
CVE-2019-19576 Critical Dec 04, 2019 class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar f more...
2.9.0, v2.8.0, v2.7.1, v2.7.0, 2.6.9, 2.6.8, 2.6.7, 2.6.6, 2.6.5, 2.6.4