← back
CVE-2026-48907

Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

CVSS 10 CRITICALEPSS 80.4%● KEVCWE-284
In short

The JCE editor extension for Joomla allows anyone, even without logging in, to create new editor profiles that can lead to uploading and running harmful PHP code on the website. This gives attackers complete control over the server.

Technical detail

The vulnerability enables unauthenticated users to create arbitrary editor profiles in the JCE extension, which can be abused to upload and execute PHP code on the server. The attack requires no authentication and results in remote code execution with full server privileges.

Summary generated and translated by AI from the official description.
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Affected products
joomlacontenteditor.net · Joomla Content Editor (JCE) extension for Joomla
public PoCs found9
githubgithub.com/ywh-jfellus/CVE-2026-4890710githubgithub.com/0xBlackash/CVE-2026-489072githubgithub.com/sec0x/CVE-2026-489071githubgithub.com/0xgh057r3c0n/CVE-2026-489071githubgithub.com/g0thamRabb1t/joomla-jce-cve-2026-48907-detection0githubgithub.com/HORKimhab/CVE-2026-489070githubgithub.com/87achrafg-stack/CVE-2026-489070githubgithub.com/webshellseo8/CVE-2026-48907-Unauthenticated-RCE-in-JCE0githubgithub.com/wearehackers160/CVE-2026-489070
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907https://www.joomlacontenteditor.net/https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites