Home

Description

The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Joomla

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory

Product status

Default status
unaffected

1.0-2.26
affected

Credits

Matan Bahar finder

Niv Kochan finder

References

www.getk2.org/ product

cve.org (CVE-2026-48944)

nvd.nist.gov (CVE-2026-48944)

Download JSON