VULNERABILITY OVERVIEW
An improper access control flaw (CWE-284) in the JCE profile import handler allows fully unauthenticated attackers to create rogue editor profiles, enabling arbitrary PHP file upload and execution via a three-request attack chain. Active exploitation has been confirmed with web shells observed in the wild; CISA added it to KEV on June 16, 2026 with a three-day federal remediation deadline. Public PoC code from YesWeHack and nuclei templates are publicly available on GitHub, and automated scanning has been observed at scale since the PoC dropped.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
JCE versions 1.0.0 through 2.9.99.4; fixed in 2.9.99.5 (June 3, 2026), hardened in 2.9.99.7CITATIONS
- → https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites
- → https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog
- → https://www.yeswehack.com/news/rce-joomla-content-editor-extension
- → https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html
- → https://nvd.nist.gov/vuln/detail/CVE-2026-48907