CVE-2026-48946
Analyzed Analyzed - Analysis Complete

K2 Arbitrary PHP Code Execution via Malicious File Upload

Vulnerability report for CVE-2026-48946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-28

Assigner: Joomla! Project

Description

The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-28
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
joomlaworks k2 to 2.26 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the K2 frontend article-attachment upload path, which allows files with a .php extension to be uploaded.

Because Apache's mod_php module executes files ending with .php, an attacker with K2 Author privileges can upload a file named shell.php.

Once uploaded, the attacker can access and execute this shell.php file on the web server, running arbitrary PHP code with the web server's permissions.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary PHP code on the web server.

This can lead to unauthorized access, data theft, server compromise, or further attacks within the affected environment.

Compliance Impact

This vulnerability allows a K2 Author to upload and execute arbitrary PHP code on the web server, potentially leading to unauthorized access, data breaches, or manipulation of sensitive information.

Such unauthorized code execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to insufficient security controls and exposure of protected data.

Detection Guidance

This vulnerability involves the upload of `.php` files through the K2 frontend article-attachment upload path, which are then executed by Apache's mod_php. To detect this vulnerability on your system, you can check for the presence of suspicious `.php` files in the `/media/k2/attachments/` directory.

  • Use commands to list `.php` files in the attachments directory, for example: `find /path/to/joomla/media/k2/attachments/ -name '*.php'`.
  • Check web server access logs for requests to `.php` files under `/media/k2/attachments/`, e.g., `grep '/media/k2/attachments/.*\.php' /var/log/apache2/access.log`.
  • Monitor for unusual or unauthorized file uploads by K2 Authors, especially files named like `shell.php`.
Mitigation Strategies

Immediate mitigation steps include preventing the upload and execution of `.php` files through the K2 article-attachment upload path.

  • Restrict file uploads in K2 to disallow `.php` extensions or any executable scripts.
  • Configure the web server to deny execution of PHP files in the `/media/k2/attachments/` directory, for example by disabling PHP execution in that directory via Apache configuration.
  • Review and limit the permissions of K2 Authors to prevent unauthorized file uploads.
  • Remove any existing suspicious `.php` files from the attachments directory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart