CVE-2026-48944
Received Received - Intake
Path Traversal in K2 Joomla Extension

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Joomla! Project

Description
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user β€” including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-48944
EUVD
EUVD-2026-39440
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
joomla k2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the K2 frontend article-save handler, which accepts a POST field named `attachment[N][existing]`. This field is concatenated with the server path `JPATH_SITE/` and passed to the file copy function `JFile::copy()`. The path cleaning function `JPath::clean` does not remove directory traversal sequences like `..`, and there is no allow-list restricting source file paths.

As a result, an Author-level user can exploit this by copying sensitive files such as `configuration.php` or any other file readable by the web user (including system files like `../../../etc/passwd`) into the `/media/k2/attachments/` directory. These files can then be accessed and downloaded via the K2 attachment-download endpoint.

Impact Analysis

This vulnerability allows an attacker with Author-level access to read and download sensitive files from the server that should normally be protected.

  • Disclosure of sensitive configuration files such as `configuration.php` which may contain database credentials and other secrets.
  • Exposure of system files like `/etc/passwd` that could aid in further attacks.
  • Potential compromise of the confidentiality and integrity of the web application and server environment.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart