Description
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The K2 article gallery upload path in the Joomla extension allows users to upload zip or tar archives. During extraction it only renames image files (gif, jpg, jpeg, png, webp) but leaves all other files—including PHP scripts—unchanged. Those files are written to /media/k2/galleries/<id>/ and can be directly accessed via HTTP, giving an attacker the ability to execute arbitrary PHP code on the web server and gain the privileges of that server process.

Affected Systems

The vulnerability affects the getk2.com K2 extension for Joomla on all versions prior to 2.26. Any Joomla site that has this extension installed and permits gallery uploads is susceptible. Based on the description, the Joomla core version is not a determining factor for the flaw.

Risk and Exploitability

The flaw is a remote code execution vulnerability with no prerequisites beyond the ability to upload a gallery archive. The CVSS score of 5.3 indicates medium severity. An attacker can craft a malicious archive, upload it through the gallery interface, and then invoke the extracted PHP file over the web. Because the vulnerability is not yet listed in CISA's KEV catalog and no EPSS score is available, the exact likelihood of exploitation is unknown, but the high impact of RCE makes it a high‑risk issue that should be remediated as soon as possible.

Generated by OpenCVE AI on June 25, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the K2 extension to version 2.26 or later so the issue is resolved.
  • If upgrading immediately is not possible, place a deny rule in the .htaccess file for /media/k2/galleries/ to prevent execution of PHP or other scripts in that directory.
  • Reconfigure the extension or implement server‑side validation to accept only image files (gif, jpg, png, webp, etc.) and reject any other file types during the upload process.

Generated by OpenCVE AI on June 25, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.getk2.org/ cve-icon
History

Sun, 28 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Joomla Extension - getk2.com - Privileged RCE vulnerability in K2 extension for Joomla < 2.26 Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getk2
Getk2 k2 Extension For Joomla
Vendors & Products Getk2
Getk2 k2 Extension For Joomla

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
Title Joomla Extension - getk2.com - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
Weaknesses CWE-434
References

Subscriptions

Getk2 K2 Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-28T18:39:05.415Z

Reserved: 2026-05-26T16:47:13.550Z

Link: CVE-2026-48945

cve-icon Vulnrichment

Updated: 2026-06-25T18:45:42.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:56Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type