CVE-2026-48945: CWE-434 Unrestricted Upload via archive extraction in getk2.com K2 extension for Joomla
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
AI Analysis
Technical Summary
CVE-2026-48945 is a CWE-434 unrestricted file upload vulnerability in the K2 extension for Joomla (versions 1.0 through 2.26). The vulnerability arises because the gallery upload path accepts archive files and extracts them under `/media/k2/galleries/<id>/`. Only image files (gif, jpg, jpeg, png, webp) are renamed to safe filenames, but non-image files, including `.php` scripts, are extracted as-is. These files remain executable and accessible via direct HTTP access, enabling potential remote code execution or other malicious actions.
Potential Impact
An attacker can upload a crafted archive containing malicious non-image files such as PHP scripts. Since these files are extracted without renaming or sanitization and remain executable, the attacker could execute arbitrary code on the web server. This compromises the confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable or restrict the gallery upload feature to trusted users only and implement additional server-side controls to prevent execution of uploaded files in the `/media/k2/galleries/` directory (e.g., web server configuration to disallow PHP execution).
CVE-2026-48945: CWE-434 Unrestricted Upload via archive extraction in getk2.com K2 extension for Joomla
Description
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48945 is a CWE-434 unrestricted file upload vulnerability in the K2 extension for Joomla (versions 1.0 through 2.26). The vulnerability arises because the gallery upload path accepts archive files and extracts them under `/media/k2/galleries/<id>/`. Only image files (gif, jpg, jpeg, png, webp) are renamed to safe filenames, but non-image files, including `.php` scripts, are extracted as-is. These files remain executable and accessible via direct HTTP access, enabling potential remote code execution or other malicious actions.
Potential Impact
An attacker can upload a crafted archive containing malicious non-image files such as PHP scripts. Since these files are extracted without renaming or sanitization and remain executable, the attacker could execute arbitrary code on the web server. This compromises the confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable or restrict the gallery upload feature to trusted users only and implement additional server-side controls to prevent execution of uploaded files in the `/media/k2/galleries/` directory (e.g., web server configuration to disallow PHP execution).
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Joomla
- Date Reserved
- 2026-05-26T16:47:13.550Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d4d4b4853345fc124a306
Added to database: 06/25/2026, 15:46:19 UTC
Last enriched: 06/25/2026, 16:01:54 UTC
Last updated: 06/26/2026, 02:21:05 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.