Impact
The K2 article gallery upload path in the Joomla extension allows users to upload zip or tar archives. During extraction it only renames image files (gif, jpg, jpeg, png, webp) but leaves all other files—including PHP scripts—unchanged. Those files are written to /media/k2/galleries/<id>/ and can be directly accessed via HTTP, giving an attacker the ability to execute arbitrary PHP code on the web server and gain the privileges of that server process.
Affected Systems
The vulnerability affects the getk2.com K2 extension for Joomla on all versions prior to 2.26. Any Joomla site that has this extension installed and permits gallery uploads is susceptible. Based on the description, the Joomla core version is not a determining factor for the flaw.
Risk and Exploitability
The flaw is a remote code execution vulnerability with no prerequisites beyond the ability to upload a gallery archive. The CVSS score of 5.3 indicates medium severity. An attacker can craft a malicious archive, upload it through the gallery interface, and then invoke the extracted PHP file over the web. Because the vulnerability is not yet listed in CISA's KEV catalog and no EPSS score is available, the exact likelihood of exploitation is unknown, but the high impact of RCE makes it a high‑risk issue that should be remediated as soon as possible.
OpenCVE Enrichment