CVE-2026-48946 - Joomla Extension - getk2.com - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
CVE ID :CVE-2026-48946
Published : June 25, 2026, 3:25 p.m. | 1 hour, 16 minutes ago
Description :The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : June 25, 2026, 3:25 p.m. | 1 hour, 16 minutes ago
Description :The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...