Question 1

What is CVE-2026-48945 — CVE-2026-48945?

Accepted Answer

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.

Question 2

What is the authoritative source for CVE-2026-48945?

Accepted Answer

CVE-2026-48945 (CVE-2026-48945) is catalogued in NVD + CISA KEV + FIRST EPSS and curated for EU compliance use cases by SQUR.

CVSS	5.3 ()
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Last modified	2026-06-25

CVE-2026-48945CVE-2026-48945

Description

Scoring