Joomla JCE CVE-2026-48907: Unauthenticated RCE, Patch to 2.9.99.6 Now
A critical flaw, CVE-2026-48907, in JCE, a hugely popular editor add-on used by many Joomla sites, lets attackers take over a server with no login. Severity is a perfect 10.0, exploit code is public, and automated attacks are underway. CISA has ordered urgent remediation. Here are the affected versions and what to do now.
Makoto Horikawa
Backend Engineer / AWS / Django
A critical flaw, CVE-2026-48907, in JCE, a hugely popular editor add-on used by many Joomla sites, lets attackers take over a server with no login. Severity is a perfect 10.0, exploit code is public, and automated attacks are underway. CISA has ordered urgent remediation. Here are the affected versions and what to do now.
A critical flaw that lets attackers take over an entire server without logging in has been found in JCE (Joomla Content Editor), a hugely popular add-on that countless sites install to edit text and images on the Joomla website-building software. The identifier is CVE-2026-48907. Its severity score is the maximum 10.0 (most critical), and tools that automate the attack are already circulating, with real-world exploitation underway.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its list of known exploited vulnerabilities and ordered federal agencies to remediate it by a deadline. This is the kind of case we also track on our CISA KEV dashboard (Japanese). If you use JCE, do not put it off—update to the fixed version right now.
What happened (key points)
| Item | Details |
|---|---|
| Affected software | JCE (Joomla Content Editor) a popular editor extension for Joomla |
| Identifier | CVE-2026-48907 |
| Severity | 10.0 / 10.0 (most critical) 9.8 under the older scale |
| What it enables | No login required; remote control of the server (takeover) |
| Exploitation status | Exploit code public automated attacks underway |
| Vulnerable versions | All versions up to 2.9.99.4 |
| Fixed versions | 2.9.99.5 (minimum) 2.9.99.6 (recommended) |
A vulnerability is a "hole" left in how software is built. What makes this hole especially nasty is that an attacker can exploit it over the internet without holding any account on the site at all. Security vendor Tenable and the vulnerability database OpenCVE both note that it leads to takeover with no authentication and no user interaction.
Who targets this hole, and why
This is not an attack that singles out a specific victim. The people who go after it are operators of automated attacks who pick no particular target and machine-scan the entire internet to scoop up only the sites with an open hole. Once the attack steps are public and automated like this, it makes no difference whether a site is famous or large; sites that left JCE in place get caught one after another.
What the attacker does to a caught site is slip in their own control program from the outside, with no login credentials, and turn that server into a remote-controlled tool. Once this foothold is built, they can rewrite the site, read out stored data, or use the server as a relay for further attacks—all without the operator's knowledge.
The damage runs in two directions. Ordinary visitors to the site may be steered to a fake login page (phishing) or made to download malicious files without realizing it. For the company or individual running the site, the losses pile up fast: defaced pages, leakage of personal data held in contact forms and the like, collapsed search rankings, and the loss of trust that comes with being an unwitting "accomplice" once your server is used as a stepping stone. That is exactly why the update described next is so urgent.
What is JCE in the first place?
Joomla is free software (a CMS, or content management system) that lets you build and publish websites and articles without any programming knowledge. It is used by companies, schools, and local governments worldwide, and—centered on the official Joomla project—it is one of the leading open-source applications supported by users across the globe.
Among the add-ons you bolt onto Joomla, JCE is the "text editor" that lets you edit content as it will appear and handles image uploads and replacements in one place. It is considered the most widely installed editor extension for Joomla; YesWeHack, which analyzed the flaw, describes it as "one of the most installed Joomla editors." In other words, if you build sites with Joomla, the odds that your own site has JCE installed are far from low.
JCE is open-source software whose code is public; it is developed by UK-based Widget Factory and managed in a repository on GitHub. When a widely distributed component has a hole, the huge number of sites that use it are all exposed at once—a supply-chain-style risk. We track these "vulnerabilities in widely used components" on an ongoing basis in our OSS supply chain scanner.
A technical look: three flaws chained together
This vulnerability is classified as CWE-284 (Improper Access Control). The problem was not a single bug; three weaknesses in JCE's "editor profile import" feature chained together and led straight to the worst outcome—unauthenticated takeover. Based on YesWeHack's analysis, here is what was going on, step by step.
First, the entrance had no lock. The import endpoint, which should only be reachable by a logged-in administrator, did not check login status. The only gate was a CSRF token—a kind of password—but since that can be harvested by anyone from a public page, the gate served no purpose.
Second, the file type was not verified. The upload handler only ran files through `File::makeSafe()`, which strips illegal characters from the filename but does not inspect the extension itself. As a result, program files such as `.php`, which run directly on the server, sailed straight through.
Third, the safety control was switched off from the inside. The code explicitly passed `$allow_unsafe = true` to the upload routine, deliberately disabling Joomla's built-in mechanism that rejects dangerous extensions.
With all three lined up, an attacker could drop a malicious PHP file into a temporary folder on the server without logging in, then call it directly from a browser to execute it. The attack flow—"grab the password from a public page → send a file disguised as a fake profile → access the dropped file and run it"—completes in just a few exchanges. Working proof-of-concept code is published on GitHub, and even a module for the Metasploit attack tool and detection templates are circulating. The bar to attack is now about as low as it gets.
Is your site at risk? Version quick-reference
Whether you are at risk comes down to which JCE version you have. Check the JCE version under "Extensions" in your admin panel and find where you stand in the table below.
| JCE version | Status | What to do |
|---|---|---|
| Up to 2.9.99.4 | Vulnerable (hole open) | Update now |
| 2.9.99.5 | Hole closed (minimum) | Update to 2.9.99.6 recommended |
| 2.9.99.6 or later | Safe (recommended) | Keep this state |
| 2.7.x / 2.8.x / 2.9.x (cannot upgrade) | Vulnerable (hole open) | Apply the free security patch |
The recommended 2.9.99.6 requires PHP 7.4+ and Joomla 3.10+. For older environments that cannot meet these conditions, the developer provides a free security patch for 2.7.x / 2.8.x / 2.9.x that closes the hole only. Since this is a stopgap that does not include the extra hardening in 2.9.99.6, aim to update the main package whenever possible.
How events unfolded
← Swipe to move
What to do right now
The fix is simple, but hurry. Now that attacks are automated, the "our site is too small to be targeted" mindset no longer holds.
- Update JCE to 2.9.99.6. Use the update feature in your admin panel, or get the latest version from the official site. If an older environment cannot update, apply the free patch.
- Check whether you have already been breached. Updating prevents future intrusions; it does not erase past damage. Look for unfamiliar PHP files in temporary and public folders, and for administrator accounts that appeared on their own.
- If you do not use JCE, disable or remove it. An extension left installed but unused only leaves the entrance to the hole open.
- Review your server access logs. Check for suspicious file uploads or access to URLs you do not recognize.
You can also confirm the severity rating at NVD (the U.S. vulnerability database). If defacement or data leakage is suspected, preserving evidence (logs and files) before recovery will help with later root-cause investigation.
Wrap-up
CVE-2026-48907 is about as bad as it gets for a website: server takeover with no login, over the internet. The severity is a perfect 10.0, exploit code is public, attacks are automated, and it has landed on CISA's exploited-vulnerabilities list. Every condition is tilted to the "worst" side.
The saving grace is that the countermeasure is clear. Just updating JCE to 2.9.99.6 (or applying the free patch) closes the entrance. If you run a Joomla site or build them for clients, open your admin panel and check the version the moment you finish reading this. The more widely a component is used, the more directly the speed of your response decides the scale of the damage.
References
- ▸ NVD - CVE-2026-48907
- ▸ YesWeHack - Unauthenticated RCE in the Joomla Content Editor extension (June 12, 2026)
- ▸ JCE official - JCE security update and a free patch for older sites
- ▸ CISA - Known Exploited Vulnerabilities Catalog
- ▸ Tenable - CVE-2026-48907
- ▸ OpenCVE - CVE-2026-48907
- ▸ GitHub - CVE-2026-48907 PoC (ywh-jfellus)
- ▸ GitHub - Widget Factory / JCE
- ▸ CVEFeed - CVE-2026-48907