Lucene search
K

200 matches found

NVD
NVD
added 2026/06/25 4:16 p.m.10 views

CVE-2026-48945

The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...

5.3CVSS0.00197EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.12 views

CVE-2026-48946

The K2 frontend article-attachment upload path accepts files whose extension is .php, and Apache's standard modphp matches .php$ and executes them under the K2 web user. A K2 Author can upload a shell.php, then fetch /media/k2/attachments/shell.php and execute arbitrary PHP code in the web...

6.3CVSS0.00167EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.9 views

CVE-2026-48944

The K2 frontend article-save handler accepts an attachmentNexisting POST field that is concatenated with JPATHSITE/ and passed to JFile::copy. JPath::clean does NOT strip .., and there is no allow-list of source paths. An Author can therefore copy configuration.php or any other file readable by t...

6.5CVSS0.00295EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.7 views

CVE-2026-48940

A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...

3.4CVSS0.00167EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.9 views

CVE-2026-48943

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...

6.5CVSS0.00182EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.9 views

CVE-2026-48942

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

6.1CVSS0.00149EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 4:16 p.m.7 views

CVE-2026-48941

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

6.5CVSS0.00159EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/25 3:26 p.m.7 views

CVE-2026-48945 Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26

The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...

5.8AI score0.00197EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:26 p.m.5 views

CVE-2026-48945

The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/25 3:26 p.m.8 views

EUVD-2026-39447

The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 3:26 p.m.14 views

CVE-2026-48945

The CVE describes a vulnerability in the K2 Joomla extension (getk2.com) where the article gallery upload path accepts a zip/tar archive and extracts it to /media/k2/galleries//. The extractor renames image files (gif/jpg/jpeg/png/webp) to safe names, but non-image files (including .php) are extr...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/25 3:26 p.m.12 views

CVE-2026-48945

The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 3:26 p.m.35 views

CVE-2026-48940 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...

0.00167EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:26 p.m.7 views

CVE-2026-48940

A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw...

3.4CVSS5.9AI score0.00167EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/25 3:26 p.m.18 views

CVE-2026-48940

CVE-2026-48940 involves a stored cross-site scripting (XSS) in the Joomla extension K2. A user with K2 (Author by default) create-item rights can submit an article where the embedVideo POST field contains a raw [removed] tag. K2 stores the payload verbatim and renders it unescaped to every visito...

3.4CVSS5.9AI score0.00167EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/25 3:26 p.m.5 views

CVE-2026-48940 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...

5.8AI score0.00167EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/06/25 3:26 p.m.7 views

CVE-2026-48940

A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...

3.4CVSS5.8AI score0.00167EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 3:25 p.m.18 views

CVE-2026-48941

CVE-2026-48941 affects the K2 frontend, specifically the item.checkin task in the GetK2 Joomla extension (for Joomla

6.5CVSS5.8AI score0.00159EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/25 3:25 p.m.8 views

CVE-2026-48941

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

6.5CVSS5.8AI score0.00159EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 3:25 p.m.39 views

CVE-2026-48946 Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26

The K2 frontend article-attachment upload path accepts files whose extension is .php, and Apache's standard modphp matches .php$ and executes them under the K2 web user. A K2 Author can upload a shell.php, then fetch /media/k2/attachments/shell.php and execute arbitrary PHP code in the web...

0.00167EPSS
Exploits0References1
Rows per page
Query Builder