Skip to content
hacker_posts

CISA adds JCE Joomla CVE-2026-48907 to KEV — pre-auth RCE, CVSS 10

CISA added CVE-2026-48907 to KEV on June 16 — an unauth profile-import chain in the JCE Joomla extension that lets attackers upload and execute PHP. Patch in JCE 2.9.99.5.

Published 4 min read
cvejoomlakevadvisory

CISA added CVE-2026-48907 to the Known Exploited Vulnerabilities catalog on June 16, 2026. The flaw is an unauthenticated remote code execution chain in JCE — Joomla Content Editor, by far the most-installed editor extension for Joomla. CVSS v4 is 10.0 (Critical). The fix shipped in JCE 2.9.99.5 in early June, with additional hardening in 2.9.99.6. Federal agencies have the standard KEV remediation timer; everyone else operating Joomla sites should treat it as same-day work.

What the bug does

The vulnerability is a chained design failure in the JCE profile-import workflow, per the YesWeHack disclosure write-up: missing authorization on profile creation, insufficient validation on the imported archive, and disabled upload safety controls combine into a pre-auth path that drops attacker-controlled PHP into /tmp and executes it as the web server. CISA's catalog entry summarises it as "improper access control" allowing "upload and execution of PHP code via the creation of new editor profiles for unauthenticated users."

CWE-284 (improper access control) is the headline mapping, but the operational impact is full RCE on the Joomla host — meaning content rewrite, web-shell persistence, credential theft from the Joomla config, and lateral movement to whatever the PHP process can reach.

Affected versions

  • JCE Pro and JCE Core for Joomla, all versions prior to 2.9.99.5.
  • Patched and hardened in 2.9.99.5 (early June 2026) and again in 2.9.99.6.

JCE ships on a very large share of Joomla sites — the extension developer's free patch is targeted at operators who cannot move directly to the 2.9.99.6 train.

Exploitation status

  • Confirmed in the wild. CISA's June 16 KEV add is based on its standard exploitation evidence threshold; the JCE developer separately confirms active exploitation and has shipped an out-of-band patch for sites that cannot upgrade to 2.9.99.6 immediately.
  • Public exploit code available. A proof-of-concept is on GitHub and a Nuclei template is in flight for the projectdiscovery template repo.
  • The exploit path is unauthenticated and requires no user interaction, so any internet-reachable Joomla site running a vulnerable JCE version is in scope for mass-scanning.

Action checklist

  1. Inventory every Joomla site you operate — production, staging, archived, marketing sub-brands, sites managed by agencies. JCE is bundled by default in several Joomla templates and is often installed without the operator remembering.
  2. Upgrade JCE to 2.9.99.6 on every affected installation. Use the standard Joomla Extensions Manager update, or pull the package from joomlacontenteditor.net directly if your Joomla update channel is stale.
  3. If you cannot upgrade immediately, apply the developer's free patch announced alongside 2.9.99.5 — it disables the profile-import surface without requiring a full extension upgrade.
  4. Hunt for post-compromise artefacts. Look in /tmp and the Joomla web root for unexpected .php files, recently-modified index.php or configuration.php, JCE profile rows in the database with operator-unfamiliar names, and outbound connections from the PHP process to unfamiliar hosts. Compromise predates patching for any site that has been internet-reachable in the past two weeks.
  5. Rotate the Joomla admin credentials and any database password reachable from configuration.php on every site that was vulnerable, even if you find no IOCs. PHP-process compromise gives the attacker file-read on the config file regardless of whether they planted a web shell.
  6. Pre-stage a Joomla WAF rule blocking unauthenticated POST traffic to the JCE profile endpoints if you front your sites with a CDN or WAF — useful as defence-in-depth once you have a clean install.

Context

This is the second JCE security advisory in twelve months and the first to land in CISA KEV. The pattern across Joomla, WordPress, and Drupal is now unbroken: the most-installed editor or page-builder extension is also the largest unauth-RCE surface on the platform, because it ships with both file-upload primitives and elevated trust assumptions about authenticated administrators. CVE-2026-48907 chains both holes — the profile-import endpoint never asked whether the caller was actually an administrator.

For Joomla operators, the operational question is no longer "is JCE patched"; it is what other code paths in your installed-extension portfolio combine an upload primitive with a trust assumption that does not match the endpoint's actual access control. That is the shape of every WordPress plugin RCE in this newsroom's archive, and now of this one too. Patch JCE today, then audit the rest of the bundled extensions before someone else does.

Related stories