The K2 article gallery upload path accepts a zip/tar archive and extracts it under `/media/k2/galleries/<id>/`. The extraction process only renames image files (gif/jpg/jpeg/png/webp) to safe names, while non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access. This vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. The CVE was published [truncated]
CVE-2026-48941 is a MEDIUM severity vulnerability in the K2 frontend `item.checkin` task. The task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`. This vulnerability was published on June 25, 2026, and modified on June 28, 2026. The Common Vulnerability Scoring System (CVSS) score is 6.5. The vulnerability i [truncated]
A Joomla user with K2 'create item' rights, typically at the Author tier, can submit an article with a raw <script> tag in the embedVideo POST field. The K2 extension stores this input verbatim and renders it unescaped on the article page, potentially leading to malicious script execution. This vulnerability has a CVSS score of 3.4 and is considered low severity. The issue was published on June 25, 2026, [truncated]
