Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-48945

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 9.7%
CVSS Severity
CVSS v3 Score 5.3
Products affected by CVE-2026-48945
  • Joomlaworks » K2 » Version: N/A
    cpe:2.3:a:joomlaworks:k2:-
  • Joomlaworks » K2 » Version: 2.10.1
    cpe:2.3:a:joomlaworks:k2:2.10.1
  • Joomlaworks » K2 » Version: 2.13
    cpe:2.3:a:joomlaworks:k2:2.13
  • Joomlaworks » K2 » Version: 2.14
    cpe:2.3:a:joomlaworks:k2:2.14
  • Joomlaworks » K2 » Version: 2.15
    cpe:2.3:a:joomlaworks:k2:2.15
  • Joomlaworks » K2 » Version: 2.16
    cpe:2.3:a:joomlaworks:k2:2.16
  • Joomlaworks » K2 » Version: 2.17
    cpe:2.3:a:joomlaworks:k2:2.17
  • Joomlaworks » K2 » Version: 2.18
    cpe:2.3:a:joomlaworks:k2:2.18
  • Joomlaworks » K2 » Version: 2.19
    cpe:2.3:a:joomlaworks:k2:2.19
  • Joomlaworks » K2 » Version: 2.20
    cpe:2.3:a:joomlaworks:k2:2.20
  • Joomlaworks » K2 » Version: 2.21
    cpe:2.3:a:joomlaworks:k2:2.21
  • Joomlaworks » K2 » Version: 2.22
    cpe:2.3:a:joomlaworks:k2:2.22
  • Joomlaworks » K2 » Version: 2.23
    cpe:2.3:a:joomlaworks:k2:2.23
  • Joomlaworks » K2 » Version: 2.24
    cpe:2.3:a:joomlaworks:k2:2.24
  • Joomlaworks » K2 » Version: 2.25
    cpe:2.3:a:joomlaworks:k2:2.25
  • Joomlaworks » K2 » Version: 2.26
    cpe:2.3:a:joomlaworks:k2:2.26
  • Joomlaworks » K2 » Version: 2.8.0
    cpe:2.3:a:joomlaworks:k2:2.8.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved