File Inclusion Vulnerability in K2 for Joomla by GetK2
CVE-2026-48944

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48944?

A file inclusion vulnerability exists in K2 for Joomla, where the frontend article-save handler improperly handles the attachment[N][existing] POST field. This field is merged with JPATH_SITE/ and subsequently passed to JFile::copy(). Unfortunately, JPath::clean does not adequately strip out directory traversal sequences like .., allowing an attacker with author-level permissions to exploit this weakness. An attacker could leverage this to overwrite sensitive files such as configuration.php or access any file that the web user can read, including critical system files like ../../../etc/passwd. Consequently, this raises significant security concerns for affected installations.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48944 Data

JSON

Getk2.com

What is CVE-2026-48944?

Affected Version(s)

References

Timeline

Credit