# Remediation Handoff: CVE-2019-19576

## Summary

NVD: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! NVD: and other products, omits .phar from the set of dangerous file extensions. OSV: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla!

## Why it matters

CVSS severity is CRITICAL with score 9.8. EPSS percentile is 0.97736. KEV status is not listed in KEV. Use this as a defensive priority handoff, not as an execution instruction.

## Affected context

* Vendor: verot_project
* Product: verot
* Component: unknown
* Version / CPE / PURL: unknown

## Remediation context

* Recommended route: vendor_patch_or_mitigation
* Vendor/advisory reference: official_reference_present
* Patch status: requires_confirmation
* Fixed version: unknown
* References: http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html, https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124, https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1, https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2, https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3, https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4, https://www.verot.net/php_class_upload.htm

## Human checklist

* Confirm whether the listed product or package is present.
* Confirm affected version.
* Review vendor advisory or official source.
* Confirm patch, fixed version, mitigation, workaround, or monitor-only decision.
* Confirm exposure.
* Document remediation status.

## Safe AI / Codex handoff

* Goal: Prepare a defensive remediation plan for CVE-2019-19576 using only provided public-safe source context and any separate repo context supplied by the user.
* Allowed actions: summarize vendor guidance, prepare a defensive remediation plan, identify affected dependencies only when repo context is separately provided by the user, suggest tests and validation steps, document human verification questions
* Disallowed actions: generate offensive code, provide payloads, scan external targets, change production systems, merge or deploy changes, create GitHub issues or pull requests without explicit separate approval
* Acceptance criteria: Affected product or dependency presence is confirmed by a human., Affected version is confirmed or marked not applicable., Official advisory or source reference is reviewed., Patch, fixed version, mitigation, workaround, or monitor-only decision is documented., Validation steps are proposed without external scanning or production mutation.
* Human approval required: true

## Safety note

This handoff is for defensive triage and remediation planning only. It excludes offensive procedure, payload material, external target scan guidance, and auto-remediation.