CVE Catalog

CVE-2026-48946

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in the K2 component allows authors to upload PHP files as article attachments. Apache executes these files, enabling remote PHP code execution in the web server context.

Risk Assessment

An attacker with author privileges can gain full control over the web server, steal data, install malware, or use the server for further attacks.

Recommendation

Immediately block PHP file uploads in the K2 component and configure Apache to prevent PHP execution in the /media/k2/attachments/ directory.

Original NVD description (English source)

The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS