CVE-2026-48944

Summary

The K2 frontend article-save handler accepts an attachment[N][existing] POST field that is concatenated with JPATH_SITE/ and passed to JFile::copy(). JPath::clean does NOT strip .., and there is no allow-list of source paths. An Author can therefore copy configuration.php (or any other file readable by the web user — including ../../../etc/passwd) into /media/k2/attachments/, then retrieve the contents via the K2 attachment-download endpoint.

Affected Software

VendorProductVersion RangeStatus
getk2.orgK2 extension for Joomla1.0-2.26affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References