Vulnerability Details CVE-2026-48944
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 21.2%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-48944
-
cpe:2.3:a:joomlaworks:k2:-
-
cpe:2.3:a:joomlaworks:k2:2.10.1
-
cpe:2.3:a:joomlaworks:k2:2.13
-
cpe:2.3:a:joomlaworks:k2:2.14
-
cpe:2.3:a:joomlaworks:k2:2.15
-
cpe:2.3:a:joomlaworks:k2:2.16
-
cpe:2.3:a:joomlaworks:k2:2.17
-
cpe:2.3:a:joomlaworks:k2:2.18
-
cpe:2.3:a:joomlaworks:k2:2.19
-
cpe:2.3:a:joomlaworks:k2:2.20
-
cpe:2.3:a:joomlaworks:k2:2.21
-
cpe:2.3:a:joomlaworks:k2:2.22
-
cpe:2.3:a:joomlaworks:k2:2.23
-
cpe:2.3:a:joomlaworks:k2:2.24
-
cpe:2.3:a:joomlaworks:k2:2.25
-
cpe:2.3:a:joomlaworks:k2:2.26
-
cpe:2.3:a:joomlaworks:k2:2.8.0