CVE-2026-48945
Analyzed Analyzed - Analysis Complete

K2 Gallery Archive Path Traversal Vulnerability

Vulnerability report for CVE-2026-48945, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-28

Assigner: Joomla! Project

Description

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names β€” non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-28
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
joomlaworks k2 to 2.26 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the K2 article gallery upload path, which accepts zip or tar archives and extracts their contents under the directory /media/k2/galleries/<id>/.

While image files (gif, jpg, jpeg, png, webp) are renamed to safe names during extraction, non-image files, including potentially dangerous files like .php scripts, are extracted without renaming and remain executable.

This means that an attacker can upload a malicious archive containing executable files that will be accessible and executable via direct HTTP access on the server.

Impact Analysis

This vulnerability can allow an attacker to upload and execute arbitrary code on the affected server by placing executable files such as PHP scripts in the gallery upload directory.

As a result, the attacker could potentially take control of the server, access sensitive data, modify or delete content, or use the server as a foothold for further attacks.

Compliance Impact

The vulnerability allows non-image files, including potentially executable files like .php, to be uploaded and executed via direct HTTP access. This could lead to unauthorized access or control over the affected system.

Such unauthorized access or execution of malicious code may result in exposure or compromise of sensitive data, which can negatively impact compliance with data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability poses a risk to maintaining the confidentiality and security of personal or protected health information required by these standards.

Detection Guidance

This vulnerability involves the extraction of archives containing executable non-image files (such as .php) into the /media/k2/galleries/<id>/ directory, which remain accessible via direct HTTP requests.

To detect this vulnerability on your system, you can check for the presence of unexpected executable files in the K2 galleries upload directories.

  • Use commands to find non-image files in the galleries directory, for example:
  • find /media/k2/galleries/ -type f \! -iname '*.gif' \! -iname '*.jpg' \! -iname '*.jpeg' \! -iname '*.png' \! -iname '*.webp'
  • Check for accessible PHP or other executable files via HTTP by attempting to access URLs like http://yourdomain/media/k2/galleries/<id>/filename.php
Mitigation Strategies

Immediate mitigation steps include preventing the execution of non-image files uploaded via the K2 gallery upload path.

  • Restrict or disable the execution of PHP and other scripts in the /media/k2/galleries/ directory using web server configuration (e.g., .htaccess rules or server config).
  • Implement validation or filtering on uploaded archives to allow only image files to be extracted.
  • Regularly scan the galleries directory for unexpected executable files and remove them.
  • Apply any available patches or updates from the K2 extension developers once released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart