CVE-2026-48945
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A vulnerability in the K2 component for Joomla! allows uploading a ZIP/TAR archive containing PHP files to the gallery directory. The system only renames image files, leaving non-image files (including PHP) extracted as-is and accessible via HTTP, enabling remote code execution.
Risk Assessment
An attacker can upload a malicious PHP file to the server, gaining full control over the Joomla! site and access to data, leading to site takeover and potential security breach for the organization.
Recommendation
Immediately update the K2 component to the latest patched version and restrict permissions on the /media/k2/galleries/ directory by disabling script execution in that directory.
Original NVD description (English source)
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.

