cbcvebase.
CVE-2026-48907
published 2026-06-05

CVE-2026-48907: A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code…

PriorityP198critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEACRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUYRXVXREXURed
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-06-19
Exploited in the wild
EPSS
80.42%
99.6th percentile
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlacontenteditor.netjoomla_content_editor_extension_for_joomla

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?option=com_jce&task=profiles.import
urlPOST /index.php?option=com_jce HTTP/1.1
filenamenuclei-<md5(Hostname+'phuJ4OoP')>.xml.php
path/tmp/nuclei-<md5(Hostname+'phuJ4OoP')>.xml.php
  • Hunt for unauthenticated POST requests to /index.php?option=com_jce with task=profiles.import in web server access logs — this is the exploit entry point.
  • Look for suspicious/rogue editor profiles created in JCE — attackers import a malicious profile to stage a web shell for persistent backdoor access.
  • Check the Joomla /tmp/ directory for .xml.php double-extension files — the exploit PoC drops a file named nuclei-<md5hash>.xml.php there.
  • The exploit uses a multipart form-data POST with a profile_file field containing a filename with a .xml.php double extension to bypass upload filters.
  • Updating JCE closes the entry point but does NOT remove attacker artifacts — scan for web shells and rogue profiles even after patching.
  • The exploit flow is three-stage: (1) GET homepage to extract CSRF token, (2) POST malicious profile import with CSRF token, (3) GET the dropped .xml.php web shell to confirm execution.
  • CSRF token is extracted from the page body via regex pattern matching '"csrf.token" : "<32 hex chars>"' and reused in the exploit POST request.
  • ·The patched version differs between sources: BleepingComputer states the fix is in JCE Pro 2.9.99.6, while The Hacker News states it was patched in version 2.9.99.5 released June 3, 2026. Verify the exact minimum safe version against the vendor changelog before deploying detection version-exclusion rules.
  • ·The affected version range is JCE 1.0.0 through 2.9.99.4 per The Hacker News; ensure detection/inventory queries cover this full historical range.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.