- joomla
- jce
- rce
- cve
- cms
- file-upload
news
JCE Joomla Unauthenticated RCE (CVE-2026-48907)
Sploitus-indexed PoCs chain unauthenticated JCE profile import to PHP execution in Joomla tmp/; CVSS 10.0.
Summary
CVE-2026-48907 is a critical unauthenticated remote code execution flaw in the JCE (Joomla Content Editor) extension. Multiple PoCs indexed on Sploitus demonstrate that the profiles.import endpoint accepts file uploads without authentication, staging attacker-controlled content under Joomla's tmp/ directory. On default configurations where PHP execution is permitted in tmp/, this yields straightforward code execution. CVSS 4.0: 10.0.
OFFSITE.DARK cites Sploitus as index source only; indexed repositories include educational PoCs with Docker labs and scanner tooling (e.g., JoomlaSniper).
Technical Details
The vulnerability stems from improper access control (CWE-284) on JCE profile import functionality. Attackers reach the import handler pre-auth and upload profile archives that land in web-served paths.
| Aspect | Detail |
|---|---|
| Component | JCE (Joomla Content Editor) |
| Entry point | profiles.import (unauthenticated) |
| Primitive | Unrestricted upload → PHP in tmp/ |
| Affected | 1.0.0 – 2.9.99.4 (all production versions per indexed PoCs) |
| Patched | 2.9.99.5 |
| Auth | None required |
| CVSS 4.0 | 10.0 Critical |
Exploitation flow (indexed PoCs):
Unauthenticated request
│
▼
profiles.import accepts upload
│
▼
Payload staged to tmp/ (no validation)
│
▼
PHP executes if tmp/ allows script handlers
│
▼
Full Joomla server compromise
Alternate chains in indexed tooling abuse JCE browser RPC after importing a permissive profile that enables PHP uploads to /images/.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-48907 |
| CWE | CWE-284 (Improper Access Control), CWE-434 (Unrestricted Upload) |
| Vendor fix | JCE ≥ 2.9.99.5 |
| Sploitus date | 2026-06-11 |
| Indexed PoC | Educational PoC with Docker lab |
Impact
Unauthenticated attackers can achieve full server compromise on Joomla sites running vulnerable JCE builds. Joomla is widely deployed; JCE is among the most popular editor extensions. Compromise enables credential theft, site defacement, SEO spam, and lateral movement to database and adjacent services.
Mitigation
- Upgrade JCE to 2.9.99.5 or later immediately.
- Disable PHP execution in
tmp/,images/, and other upload directories via web-server config (php_admin_flag engine off,AllowOverride None). - Block or rate-limit unauthenticated access to
component/jceimport paths at the WAF. - Hunt IOCs: unexpected
.php/.PHPundertmp/, new Super User accounts, webshells in media paths. - Restrict public access to
tmp/even on patched builds (defense-in-depth).
Sources
- Sploitus — CVE-2026-48907 Educational PoC (index reference)
- NVD — CVE-2026-48907