Skip to content

Joomla JCE CVE-2026-48907 exploitation

Summary

CVE-2026-48907 is an unauthenticated remote-code-execution vulnerability in JCE, the Joomla Content Editor extension from Widget Factory. NVD describes the flaw as allowing unauthenticated users to create new editor profiles, which can ultimately permit PHP upload and execution.

CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-16. Widget Factory's JCE advisory says the vulnerability is actively exploited, working exploit code is public, and attacks are automated, so lack of public Joomla user registration is not a safe condition.

Tags

Why this matters

  • The exploit path abuses JCE profile import rather than normal Joomla account creation; sites without public registration can still be exposed.
  • Successful exploitation can create a rogue JCE editor profile that permits executable uploads, then place PHP files in web-accessible directories.
  • Widget Factory explicitly warns that updating closes the entry point but does not clean an already-compromised site.
  • CISA KEV inclusion makes this a confirmed active-exploitation item for internet-facing CMS response queues, not just a theoretical extension bug.

Operational characteristics

  • Affected product: JCE / Joomla Content Editor extension for Joomla.
  • Affected versions: JCE versions before the June 2026 security releases; Widget Factory says JCE 2.9.99.5 patched the critical issue and 2.9.99.6 added hardening.
  • Recommended fixed version: JCE Pro 2.9.99.6 or later, according to Widget Factory.
  • Legacy patch path: Widget Factory provides a stopgap patch package for JCE 2.7.x, 2.8.x, and 2.9.x sites that cannot immediately meet the 2.9.99.6 PHP / Joomla requirements.
  • Unauthenticated request pivot: Widget Factory tells defenders to inspect web access logs for requests to index.php?option=com_jce&task=profiles.import.
  • Post-exploitation artifact: an unexpected editor profile, often with a meaningless auto-generated name and sometimes ordered to appear at the top of the profile list.
  • Upload-permission change: the rogue profile may permit PHP or other script extensions in plugin settings such as Image Manager or File Browser.
  • Likely file locations: PHP files in images, media, or tmp; Widget Factory notes that when no upload path is set, JCE defaults to the images folder.

Defender heuristics

  • Upgrade JCE to 2.9.99.6 or later; if that is blocked by old PHP / Joomla dependencies, apply Widget Factory's legacy patch as a temporary control and plan a supported-platform migration.
  • Treat internet-facing Joomla sites with vulnerable JCE as potentially compromised even if public user registration is disabled.
  • Preserve suspicious profiles, uploaded files, and relevant web logs before deletion when incident-response evidence matters.
  • Review JCE editor profiles for unfamiliar or auto-generated entries and for upload extension lists that include PHP or other executable types.
  • Hunt web logs for unauthenticated profiles.import requests, especially index.php?option=com_jce&task=profiles.import, and use the earliest hit to set restoration and investigation windows.
  • Inspect images, media, and tmp for PHP files or files with php embedded in names such as *.php.*.
  • After confirmed exploitation, remove rogue profiles and uploaded files only after closing the entry point, then rotate Joomla administrator, database, hosting-panel, FTP/SFTP, SMTP/API, and reused credentials.
  • Run a server-side malware scan and check for additional persistence outside the JCE upload path before declaring cleanup complete.

Sources

  • CISA Known Exploited Vulnerabilities catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907
  • NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48907
  • Widget Factory / JCE advisory: https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites