CVE Catalog

CVE-2026-48945

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A vulnerability in the K2 component for Joomla! allows uploading a ZIP/TAR archive containing PHP files to the gallery directory. The system only renames image files, leaving non-image files (including PHP) extracted as-is and accessible via HTTP, enabling remote code execution.

Risk Assessment

An attacker can upload a malicious PHP file to the server, gaining full control over the Joomla! site and access to data, leading to site takeover and potential security breach for the organization.

Recommendation

Immediately update the K2 component to the latest patched version and restrict permissions on the /media/k2/galleries/ directory by disabling script execution in that directory.

Original NVD description (English source)

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS