CVE-2026-48943 Joomla Extension - getk2.com - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...