Description

The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.

Severity (CVSS)

Base score6.3
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Provided byCISA-ADP

Weaknesses

  • CWE-434 — CWE-434 Unrestricted Upload of File with Dangerous Type

Affected products

VendorProductVersions
getk2.comK2 extension for Joomla1.0-2.26

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 26 Jun 2026 07:05 UTC.