Joomla JCE Flaw CVE-2026-48907 Exploited — Patch | RECATOOLS

From below of monitor of modern computer with opened files on blue screen Photo by Brett Sayles on Pexels

CYBERSECURITY · 19 Jun 2026 —

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-48907, a maximum-severity improper-access-control flaw in the Widget Factory Joomla Content Editor extension — commonly known as JCE, and its Pro edition — to its Known Exploited Vulnerabilities (KEV) catalog on 16 June 2026, citing active exploitation. The CVE/NVD record describes the flaw as allowing unauthenticated users to create new editor profiles, ultimately resulting in PHP code upload and execution. It carries a CVSS v4.0 base score of 10.0 (NVD also lists a CVSS v3.1 score of 9.8) and is classed as improper access control, CWE-284. The flaw affects JCE versions before 2.9.99.5; version 2.9.99.5 shipped the fix on 3 June 2026, and later point releases should be preferred where available.

What the flaw is

The important scoping point first: this is a vulnerability in JCE, a third-party WYSIWYG editor extension published by Widget Factory, not in Joomla core. Sites that do not run JCE are not affected by this CVE.

A JCE editor profile is the per-user-group setting that decides which editor features and file operations are available — which file types may be uploaded, whether the file browser and image manager are exposed, and where uploads land. The defect, classed as improper access control, is that the profile-creation path could be reached without authentication. Public technical summaries describe the vulnerable path as the profile-import workflow, which could be abused by unauthenticated users to create malicious editor profiles. The practical consequence is that an attacker with no account can reach a state that permits the upload and execution of PHP — an unauthenticated path to code execution on the server, which is why it carries the maximum score.

What is confirmed, and what is not

CISA's KEV listing is a statement that the flaw is being exploited in the wild, not merely demonstrated in a lab — that is the bar for inclusion. What is not public is the operational method: there is currently no detailed information on how the exploitation is being carried out. That absence should not be read as low risk. The opposite is true: a KEV listing means exploitation has already been observed, so the lack of a public technique write-up only means defenders are working with less information than the attackers already have. The three-day federal deadline — unusually short compared with many KEV entries — signals that urgency.

How to fix it, and why patching is only step one

Update JCE to a fixed release. Version 2.9.99.5 contains the fix for this CVE; if 2.9.99.6 or later is available, move to the latest release, because later builds include additional hardening. If you cannot update immediately, disable or remove the extension until it can be patched; Widget Factory has also published a free patch for older sites that cannot move to a current Joomla or PHP version.

Do not treat the update as the end of the work. Any public-facing Joomla site that ran a vulnerable JCE version should be checked for prior compromise, because a successful exploit of this class typically leaves persistence behind — a web shell, a backdoor administrator account, injected files — and those survive the patch. Look for editor profiles and administrator accounts you do not recognise, unexpected PHP files in upload or temporary directories, suspicious POSTs to the JCE profile-import path in your web logs, unexpected PHP execution from Joomla temporary or upload directories, and injected content or SEO spam. If any of that turns up, this becomes an incident-response exercise, not a patch.

What it means for the region

Joomla is widely used across ASEAN by small businesses, community organisations and public-sector microsites — exactly the category of site that is internet-facing but often lacks a dedicated security team or a fast patch cycle. The 19 June deadline binds only US federal agencies, but a public Joomla site running a vulnerable JCE is exposed regardless of where it is hosted or who runs it. For regional site owners the message is the same as everywhere: update JCE now, and check whether you were reached before you got to it.

Key Takeaways

CVE-2026-48907 is a CVSS 10.0 improper-access-control flaw (CWE-284) in the Widget Factory Joomla Content Editor extension (JCE / JCE Pro) — not Joomla core — that lets an unauthenticated attacker create editor profiles and upload and run PHP code.
CISA added it to the KEV catalog on 16 June 2026 citing active exploitation, with a 19 June remediation deadline for US federal agencies.
The flaw affects JCE versions before 2.9.99.5; the fix shipped in 2.9.99.5 on 3 June 2026, with 2.9.99.6 adding further hardening — update to the latest release, or disable the extension if you cannot.
Patching only closes the entry point; check any public-facing Joomla site that ran a vulnerable JCE for unknown editor profiles, unknown admin accounts, suspicious PHP files, profile-import POSTs in logs, and injected SEO spam.

Cyber Team's VerdictAdvisory

The risk profile here is the one that gets sites compromised at scale: maximum severity, no authentication required, confirmed active exploitation, and a popular third-party CMS extension sitting on the long tail of small, lightly maintained sites. That combination is what automated scanning campaigns are built for. The limitation worth repeating is the one owners often miss: patching JCE stops the next attempt, but it does not undo a breach that already happened. A web shell, rogue admin account or injected file installed before the update will still be there afterwards. Treat this as two tasks, not one: patch today, because a federal deadline landing days after disclosure tells you the clock is real; then check whether the site was already reached before you assume you are clear.

Sources & cross-checks

Primary: CVE / NVD record for CVE-2026-48907 — affected product and versions, unauthenticated editor-profile creation leading to PHP upload and execution, CWE-284, CVSS v4.0 10.0 (CNA) and NVD CVSS v3.1 9.8 — https://www.cve.org/CVERecord?id=CVE-2026-48907
Corroborated: CCB (Centre for Cybersecurity Belgium) advisory — government CERT warning classing CVE-2026-48907 as critical (CVSS 10), confirming unauthenticated editor-profile creation leading to PHP execution, and urging immediate patching — https://ccb.belgium.be/advisories/warning-critical-vulnerability-joomla-content-editor-extension-jce-patch-immediately
Verified: scope confirmed as the third-party JCE / JCE Pro extension, not Joomla core; the technical description is attributed to the CVE/NVD record rather than CISA's shorter KEV phrasing; the fixed version is 2.9.99.5 with 2.9.99.6 hardening preferred; the 19 June deadline is reported for federal agencies only; exploitation is confirmed by the KEV listing while the live technique is intentionally not described.

Tags: #Cybersecurity #CVE #Patch-Management #joomla #web-security

Cyber Team

Cybersecurity Desk

Cyber Team is RECATOOLS’ cybersecurity desk, covering vulnerabilities, breaches, threat intelligence, and practical security guidance.

View author profile → · Editorial policy

About this byline Cyber Team is a specialist RECATOOLS editorial desk focused on cybersecurity coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.