Vulnerability Details CVE-2026-48946
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.4%
CVSS Severity
CVSS v3 Score 6.3
References
Products affected by CVE-2026-48946
-
cpe:2.3:a:joomlaworks:k2:-
-
cpe:2.3:a:joomlaworks:k2:2.10.1
-
cpe:2.3:a:joomlaworks:k2:2.13
-
cpe:2.3:a:joomlaworks:k2:2.14
-
cpe:2.3:a:joomlaworks:k2:2.15
-
cpe:2.3:a:joomlaworks:k2:2.16
-
cpe:2.3:a:joomlaworks:k2:2.17
-
cpe:2.3:a:joomlaworks:k2:2.18
-
cpe:2.3:a:joomlaworks:k2:2.19
-
cpe:2.3:a:joomlaworks:k2:2.20
-
cpe:2.3:a:joomlaworks:k2:2.21
-
cpe:2.3:a:joomlaworks:k2:2.22
-
cpe:2.3:a:joomlaworks:k2:2.23
-
cpe:2.3:a:joomlaworks:k2:2.24
-
cpe:2.3:a:joomlaworks:k2:2.25
-
cpe:2.3:a:joomlaworks:k2:2.26
-
cpe:2.3:a:joomlaworks:k2:2.8.0