Online Platform
Exploits

Joomla JCE CVE-2026-48907: Critical RCE Under Attack

Published  ·  7 min read

The U.S. Cybersecurity and Infrastructure Security Agency just added a maximum-severity flaw to its Known Exploited Vulnerabilities catalog. Federal agencies have until June 19 to patch it.

The vulnerability is CVE-2026-48907. It affects the Widget Factory Joomla Content Editor (JCE), one of the most popular extensions for the Joomla content management system. It carries a CVSS score of 10.0, the highest possible rating.
And it is being actively exploited in the wild.

What Is the Joomla JCE Unauthenticated RCE Vulnerability?

Quick Security Checklist

  • Scan your system or website
  • Update all dependencies
  • Change passwords
  • Enable 2FA

A flaw in Joomla's JCE has an unauthorized RCE vulnerability (CVE-2026-48907) which fails to properly restrict access to the unauthenticated RCE Vulnerability, is another way of saying the inability to restrict who can create new editor profiles for users that are not logged in will allow an attacker without authentication to create new editor profiles for those who have no authentication credentials, and then use those new editor profiles to upload and execute PHP code on the web server.

The vulnerability affects JCE versions from 1.0.0 through 2.9.99.4. It was patched in version 2.9.99.5, released on June 3, 2026. A subsequent version, 2.9.99.6, added additional hardening.

In its release notes, Widget Factory acknowledged that "insufficient access controls permitted unauthenticated users to upload editor profiles."

How the Attack Works

The Joomla JCE RCE vulnerability can be exploited quickly and easily due to its location on the profile import API endpoint. The RCE can be exploited without authentication by combining the following three weaknesses:

Weakness 1: Lack of authentication

When importing profiles, Joomla did not require authentication, but only a CSRF token (Commonly used in web security) which Joomla has embedded within all of their public pages (including the homepage). This allows an attacker to easily harvest compromised CSRF tokens and then use these CSRF tokens within a scripted request.

Weakness 2: No file extension validation

The upload function accepted any file extension. A file named payload.xml.php would pass through untouched and Apache would execute the .php portion.

Weakness 3: Unsafe upload flag. 

Joomla's file upload function was called with the unsafe flag set to true. The built-in blacklist for harmful extensions in Joomla has been disabled, making attacks against Joomla sites with no session, username, or password possible.

An attack is possible through three HTTP requests:
1. Attacker obtains CSRF token from target site's homepage.
2. Attacker uploads a malicious file via the profile import endpoint using POST method to the server's temp location and loads a PHP web shell onto the server.
3. Attacker executes the web shell by making an HTTP request to it.

As a result, an attacker could completely compromise a Joomla server without having a session cookie, username or password.

The Patch: What Changed

Version 2.9.99.5 addresses all three weaknesses:

1. Authorization verification: Proper authorization is needed for using the import function, and any attempt to access it by an unauthenticated user will be denied immediately.
2. Allowed file types: XML files and only XML file types are acceptable. Files with more than one extension (e.g., .xml.php) are rejected.
3. The unsafe upload flag has been removed: The flag for unsafe uploads has been set to false, which will allow the Joomla extension blacklist to be used again.
4. File size restrictions: The maximum size of uploaded files has been limited to 512 KB.
5. XXE protection: External entity loading is not allowed during XML document processing.
6. Field allow list: Only XML fields that are known to be safe will be processed.

Attacks Are Public and Automated

The Joomla JCE unauthenticated RCE vulnerability has increased severity, because there is a publicly available exploit code and an automated method for attacking web sites. A web site that does not permit public registration is still vulnerable, because the attack occurs against the JCE extension, rather than through the user registration of the web site.

Updating Is Not Enough

There is a crucial warning that every Joomla administrator needs to understand: updating closes the entry point but does not clean a site that was already compromised. If your site was hit before updating, the update will not remove what the attacker left behind.

Once an attacker has uploaded a webshell, they have persistent access. The patch stops new attacks. It does not remove existing backdoors.

How to Clean a Compromised Site

Attackers are using the Joomla JCE unauthenticated RCE vulnerability to import rogue editor profiles and drop webshells. These webshells grant persistent backdoor access to the server.

In the event a compromise is suspected, please complete the following steps: 
1. Back up rogue profiles prior to deleting them for investigation. 
2. Update to JCE 2.9.99.6 or greater (the newest patched version). 
3. Remove any unauthorized editor profiles that were associated with the incident. 
4. Change the user password of administrative accounts, the passwords to your databases, and the password needed to access the web hosting account. 
5. Complete a full server based malware scan on your hosting provider's system in order to determine whether or not any additional security holes exist.

Who Must Patch by When

CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2026-48907 into their KEV (Known Exploited Vulnerabilities) catalog and requires that all federal civilian Executive Branch agencies complete the required fixes for the vulnerability by June 19, 2026. This is enforced through Binding Operational Directive 26-04. 

How to Identify a Compromised System

Start by searching your web server's access logs for the presence of any unauthorized access to a profile import task. Look for these entries in your logs:
index.php?option=com_jce&task=profiles.import

If you find instances of this URL being accessed from unknown IP addresses, you can assume that the system has been compromised and take action as described in the steps listed earlier. In addition, look for suspicious editor profiles that were not created by legitimate administrators.

The Bottom Line

The Joomla JCE unauthenticated RCE vulnerability is a CVSS 10.0 flaw with public exploit code and active, automated attacks. Update to JCE 2.9.99.6 immediately. Check your logs for unauthorized profile imports. 

And assume that any site that was vulnerable before patching may already be compromised.

A perfect 10 is not a warning. It is a countdown.

FAQ Section

What exactly is CVE-2026-48907?

CVE-2026-48907 refers to a vulnerability in the Widget Factory's Joomla Content Editor (JCE) extension that can be exploited by an attacker via remote access without requiring authorization. The attacker can upload the maliciously coded file and have it run on the target server, all with no authentication.

Which versions of JCE are affected by this vulnerability?

Versions of the JCE extension that are affected include all of them before version 2.9.99.5.

What is the method of attack for this vulnerability?

An attacker will use the CSRF token they harvest from the target site as a parameter to upload a malicious PHP file via the profile import endpoint. The attacker then executes the webshell by accessing the malicious file via HTTP. 

Are exploits of this vulnerability publicly available and actively used?

Yes. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48907 to their known exploited vulnerabilities and confirmed that there is evidence of active exploitation and public availability of exploit code. As a result, many attacks targeting this vulnerability are automated.

Does updating to the patched version clean my site?

No. Updating closes the entry point for new attacks but does not remove backdoors that were already installed. If your site was compromised before patching, you must clean it manually.

How can I tell if a hacker has infiltrated my website? 

Look at your web server logs; you will see logs of who accessed your index.php?option=com_jce&task=profiles.import file and whether those access attempts came from unusual IP addresses that should have never requested access to your site. Besides checking for requests to this specific file type, you will also need to find any editor profile created on your site by someone else without your permission.

When does this directive apply to federal offices? 

Per CISA’s binding operational directive, federal executive branch agencies must complete implementation no later than June 19, 2026.

Source: The Hacker News
Keywords
Share LinkedIn
JetBrains Marketplace Malicious Plugins Steal AI Keys Hacking

JetBrains Marketplace Malicious Plugins Steal AI Keys

Jun 17, 2026
Mastra npm Supply Chain Attack Hits 144 Packages Hacking

Mastra npm Supply Chain Attack Hits 144 Packages

Jun 17, 2026
Progress Software Patches Six New Security Flaws in WhatsUp Gold Exploits

Progress Software Patches Six New Security Flaws in WhatsUp Gold

Sep 28, 2024
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.