CVE-2026-48944
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A vulnerability in the K2 component for Joomla! allows an Author to copy any file readable by the web user (e.g., configuration.php or /etc/passwd) to the /media/k2/attachments/ directory by manipulating the `attachment[N][existing]` POST field. Lack of source path validation and `..` filtering in `JPath::clean` enables a path traversal attack.
Risk Assessment
An attacker with Author privileges can access sensitive server files, including Joomla! configuration files (containing database credentials) or system files, leading to full site compromise and potentially server takeover.
Recommendation
Immediately update the K2 component to the latest patched version. As a temporary workaround, disable the K2 attachment upload feature or apply WAF rules to block manipulation of the `existing` field.
Original NVD description (English source)
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.

