CVE-2026-48946
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in the K2 component allows authors to upload PHP files as article attachments. Apache executes these files, enabling remote PHP code execution in the web server context.
Risk Assessment
An attacker with author privileges can gain full control over the web server, steal data, install malware, or use the server for further attacks.
Recommendation
Immediately block PHP file uploads in the K2 component and configure Apache to prevent PHP execution in the /media/k2/attachments/ directory.
Original NVD description (English source)
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.

