The K2 extension’s frontend article‑save handler accepts a POST field named attachment[N][existing] and concatenates it with the site root path before passing it to JFile::copy() with no pathname sanitization. Because JPath::clean does not strip “..” sequences and there is no whitelist of allowed source locations, an authenticated author can point the field at any file readable by the web server user—such as configuration.php or /etc/passwd—and have it copied into the public /media/k2/attachments/ directory. The attacker can then retrieve the file content through the K2 attachment‑download endpoint, resulting in disclosure of arbitrary server‑side files.

All installations of getk2.com’s K2 extension for Joomla that are older than version 2.26 are affected. No specific sub‑versions are listed, but the vulnerability applies to all releases preceding 2.26.

The flaw provides local file read and store capabilities to users with author‑level permissions. While the EPSS score is not available and the issue is not listed in CISA KEV, lack of path validation satisfies CWE‑22 “Path Traversal”. The likely attack vector is from a browser or via API calls, based on the description, and results in medium‑severity data disclosure as indicated by the CVSS score of 6.5 if sensitive configuration files or system files are accessed.