PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48945 Joomlaworks CVE debrief

The K2 article gallery upload path accepts a zip/tar archive and extracts it under `/media/k2/galleries/<id>/`. The extraction process only renames image files (gif/jpg/jpeg/png/webp) to safe names, while non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access. This vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. The CVE was published on 2026-06-25T16:16:37.060Z and last modified on 2026-06-28T19:16:51.837Z. The vulnerability affects JoomlaWorks' K2 product, specifically version 2.26 and prior.

Vendor
Joomlaworks
Product
K2
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-06-28
Advisory published
2026-06-25
Advisory updated
2026-06-28

Who should care

Administrators and security teams responsible for Joomla-based websites using the K2 extension should be aware of this vulnerability. The vulnerability's MEDIUM severity and potential for code execution make it a concern for those managing high-traffic or sensitive sites. Users of K2 version 2.26 and prior are particularly at risk.

Technical summary

The K2 article gallery upload path is vulnerable to a zip/tar archive extraction issue. When a zip or tar archive is uploaded, the system extracts its contents under `/media/k2/galleries/<id>/`. However, the extraction process only renames image files with specific extensions (gif, jpg, jpeg, png, webp) to safe names. Non-image files, including PHP files, are extracted with their original names and remain executable via direct HTTP access. This can lead to potential code execution vulnerabilities, especially if an attacker can upload arbitrary files. The vulnerability is exacerbated by the fact that the system does not properly validate or sanitize the contents of the uploaded archives.

Defensive priority

Apply the vendor's official patch or upgrade to a version of K2 that properly handles archive uploads and file renaming. Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent suspicious file uploads and executions.

Recommended defensive actions

  • Apply the official patch or upgrade to a secure version of K2.
  • Implement a Web Application Firewall (WAF) to detect and prevent suspicious file uploads and executions.
  • Restrict file uploads to only trusted users and validate file types before upload.
  • Monitor the `/media/k2/galleries/` directory for suspicious files and unexpected changes.
  • Consider implementing additional security measures such as file upload validation, execution prevention, and regular security audits.

Evidence notes

The CVE-2026-48945 vulnerability is based on information from official sources, including the CVE.org record and the NVD detail page. The vulnerability affects JoomlaWorks' K2 product, specifically version 2.26 and prior. The CVSS score of 5.3 indicates a MEDIUM severity vulnerability. The vulnerability allows for potential code execution via direct HTTP access to non-renamed files extracted from uploaded zip/tar archives.

Official resources

This article is AI-assisted and based on the supplied source corpus.