CVE-2026-48945

CVE-2026-48945: Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26

Vendor Getk2.Org

Product K2 extension for Joomla

Weakness CWE-434 · Unrestricted file upload

Published June 25, 2026

Last update June 28, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.

Key dates

Disclosure timeline

June 25, 2026 CVE published

June 28, 2026 Record updated