Description
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The K2 extension’s front‑end article‑attachment upload accepts files whose names end with the .php extension. Apache’s mod_php treats such files as executable PHP code and runs them under the web‑server user. A user with K2 Author privileges can upload a crafted shell.php, then retrieve it via the web server to execute arbitrary PHP code with web‑server privileges. The vulnerability allows remote code execution in the context of the web server when an attacker can supply a PHP file through the upload interface.

Affected Systems

The flaw targets the K2 Extension for Joomla provided by getk2.com. All releases older than 2.26 contain the vulnerability; any installation using a pre‑2.26 build is potentially impacted.

Risk and Exploitability

The CVSS score is 6.3, but the vulnerability still permits remote code execution when an attacker can upload files as an author. Since the upload path performs no validation beyond the file name, the exploit path is straightforward once author credentials are available. EPSS is not available and the issue is not listed in the CISA KEV catalog, yet the potential impact remains high due to the privilege escalation to the web‑server context. Based on the description, it is inferred that the likely attack vector requires a valid K2 Author account to upload a PHP file, and that the attacker can immediately retrieve and execute the file via a web request.

Generated by OpenCVE AI on June 25, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the K2 extension to version 2.26 or later, which removes the unrestricted PHP upload capability.
  • If an upgrade cannot be performed immediately, configure the web server to block execution of .php files in the K2 attachment directory (for example, using an .htaccess rule that forbids .php execution or disabling ExecCGI).
  • Restrict the K2 author role to only the permissions required for content creation, or disable the attachment upload capability for that role, and monitor for any unauthorized upload activity.

Generated by OpenCVE AI on June 25, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.getk2.org/ cve-icon
History

Sun, 28 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Joomla Extension - getk2.com - Privileged RCE vulnerability in K2 extension for Joomla < 2.26 Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getk2
Getk2 k2 Extension For Joomla
Vendors & Products Getk2
Getk2 k2 Extension For Joomla

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Title Joomla Extension - getk2.com - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
Weaknesses CWE-434
References

Subscriptions

Getk2 K2 Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-28T18:37:50.059Z

Reserved: 2026-05-26T16:47:13.550Z

Link: CVE-2026-48946

cve-icon Vulnrichment

Updated: 2026-06-25T18:52:12.622Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:02Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type