File Upload Vulnerability in K2 by Joomla
CVE-2026-48946

Currently unrated

Key Information:

Vendor: Getk2.com
Status: K2 Extension For Joomla
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-48946?

The K2 component for Joomla is susceptible to a significant security flaw that permits malicious users to upload PHP files through the article-attachment path. Specifically, the system improperly handles files with a .php extension, allowing unauthorized authors to upload potentially harmful scripts, such as shell.php. Once uploaded, these scripts can be executed in the context of the K2 web user, leading to arbitrary code execution on the server. This vulnerability underscores the need for stringent validation measures on file uploads to prevent exploitation.

Affected Version(s)

K2 extension for Joomla 1.0-2.26

References

https://www.getk2.org/

product

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 26, 2026

Credit

Matan Bahar

CVE-2026-48946 Data

JSON

Getk2.com

What is CVE-2026-48946?

Affected Version(s)

References

Timeline

Credit