Joomla JCE CVE-2026-48907: 2.5 Million Sites Open to Unauthenticated Code Execution

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Attackers are dropping persistent PHP web shells on Joomla websites worldwide using CVE-2026-48907, a CVSS 10.0 flaw in the Joomla Content Editor extension that requires zero credentials, zero user interaction, and zero prior access to exploit.
Joomla JCE CVE-2026-48907 is a maximum-severity improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE), one of the most widely installed third-party extensions across the 2.5 million active Joomla sites worldwide. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 16, 2026, and set a remediation deadline of June 19 for all Federal Civilian Executive Branch agencies. Automated scanning campaigns are already sweeping every internet-facing Joomla site for unpatched JCE installations.
The attack requires a single HTTP POST request to the JCE profile import endpoint. An unauthenticated attacker sends a crafted request to index.php?option=com_jce&task=profiles.import, which creates a malicious editor profile without any authentication check. That profile relaxes the upload restrictions in JCE's file manager, allowing the attacker to place a PHP file inside a web-accessible directory and execute arbitrary commands on the underlying server. No administrator account, no session token, and no prior foothold is required.
Widget Factory released the patch in JCE version 2.9.99.5 on June 3, 2026. Any site still running JCE 2.9.99.4 or earlier faces live exploitation attempts right now. The gap between patch release and CISA KEV listing was 13 days, confirming that in-the-wild exploitation began before most administrators had applied routine maintenance updates. If your Joomla site runs JCE and has not been updated this month, treat today as incident response, not scheduled patching.
How Does the Joomla JCE CVE-2026-48907 Exploit Work?
CVE-2026-48907 exploits a logical flaw in how JCE handles editor profile imports. The Joomla Content Editor stores configuration settings such as allowed file types, upload directories, and user permissions inside editor profiles. The profile import function does not verify whether the requesting user holds a valid authenticated session before processing the profile data.
The attack chain runs in three steps. In step one, the attacker sends an unauthenticated HTTP POST request to index.php?option=com_jce&task=profiles.import. JCE accepts the request, processes the attacker-supplied profile XML, and creates a new editor profile in the Joomla database. The profile is configured with permissive settings that accept PHP file extensions and write to web-accessible directories.
In step two, the attacker triggers JCE's file upload functionality. The newly created rogue profile overrides the normal upload restrictions, allowing a PHP payload to be submitted as if it were a legitimate image or media file. JCE stores the PHP file inside a publicly reachable directory such as images/, media/, or uploads/.
In step three, the attacker sends a GET request to the uploaded file's URL. The web server executes the PHP code with the privileges of the web server process, giving the attacker a persistent remote shell capable of reading server files, executing OS commands, connecting to the database, and installing additional backdoors or malware.
YesWeHack researcher Phil E. Taylor, who documented the full attack chain, noted that "attackers who import a rogue profile can use it to drop a web shell, granting attackers a persistent backdoor on the server." Public proof-of-concept code on GitHub makes the three-step sequence executable by any attacker with basic scripting knowledge. This vulnerability affects every JCE version from 1.0.0 through 2.9.99.4, spanning the full commercial history of the extension.
Unauthenticated Profile Import
Attacker sends HTTP POST to index.php?option=com_jce&task=profiles.import with crafted XML. JCE creates a rogue editor profile without verifying the requester holds an authenticated session.
PHP Payload Upload
The rogue profile relaxes upload restrictions. Attacker uploads a PHP web shell through JCE's file manager, bypassing extension and path checks. File is stored in images/, media/, or uploads/ directory.
Remote Code Execution
Attacker GET-requests the uploaded PHP file URL. Web server executes the code with web process privileges. Attacker gains persistent server access, database read access, and lateral movement capability.
Which Joomla Sites Are Exposed to CVE-2026-48907?
Every Joomla site running the JCE extension at version 2.9.99.4 or earlier is directly reachable from the public internet right now. The exposure scope is broad because JCE is one of the most widely adopted third-party extensions in the Joomla ecosystem, preferred by administrators for its rich text editing capabilities.
Joomla powers approximately 2.5 million active websites globally, representing roughly 2% of all CMS-powered sites worldwide according to W3Techs data. Because JCE is distributed as a separate extension that administrators install independently, there is no single authoritative count of active JCE installations. Security researchers scanning for the JCE profile import endpoint across Joomla-powered hosts confirmed that exposed instances number in the hundreds of thousands.
The affected population includes government agencies, educational institutions, healthcare portals, e-commerce platforms, and news publications that rely on Joomla as their CMS. Many use JCE specifically because it provides a more capable rich text editor than Joomla's default editor for non-technical content publishers. That legitimate popularity creates a large, predictable attack surface that automated scanners exploit efficiently.
Automated scanning campaigns targeting CVE-2026-48907 were confirmed active within days of CISA's KEV listing on June 16, 2026. CISA's reporting describes widespread scans probing for the JCE profile import endpoint across all internet-accessible Joomla hosts. Any site with JCE installed and publicly accessible is being queried by these campaigns right now.
CISA's June 2026 Known Exploited Vulnerabilities additions signal that federal monitoring has confirmed active exploitation rather than theoretical risk. See our coverage of CISA's June 2026 KEV patch deadlines for the full catalog of current federal remediation requirements.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
What Attackers Do After Dropping a Web Shell on Your Joomla Site
A PHP web shell installed through CVE-2026-48907 is not a dead-end compromise. Threat actors use the initial foothold for a multi-stage attack sequence.
Credential extraction is the immediate first step. PHP code executing in the Joomla web root can read configuration.php directly, extracting the database host, username, and password in plaintext. Attackers harvest these credentials and reuse them against other internal services or sell them to initial access brokers packaging ransomware affiliate access.
Data exfiltration follows credential extraction. The Joomla database contains user accounts, session tokens, form submissions, and any application data the site processes, which can include personally identifiable information for site registrations, e-commerce transaction records, and internal business data. Attackers compress and exfiltrate this data before triggering any visible ransomware or defacement.
Persistence expansion is a parallel goal. A single web shell in images/ can be used to deploy secondary shells across multiple directories, modify .htaccess files to redirect traffic or inject malicious scripts, or install cron jobs that re-introduce backdoors after initial cleanup. Widget Factory's advisory specifically warns: "updating closes the entry point but does not clean a site that was already compromised." A patch alone is not remediation if exploitation has already occurred.
Lateral movement is the final phase for attackers where the Joomla server is not isolated. Database credentials often reuse passwords across services, the web server process account may have access to shared file systems, and the compromised host can serve as a pivot point for scanning internal network segments. This risk is acute in shared hosting environments where server compromise can affect multiple co-hosted sites.
“Updating closes the entry point but does not clean a site that was already compromised.”
Widget Factory / Joomla JCE Security Advisory, June 2026
Indicators of Compromise: Detecting CVE-2026-48907 Exploitation in Your Environment
Detecting exploitation requires checking access logs, the database, and the file system. The attack leaves distinct traces at each of the three stages.
In access logs, search for POST requests containing com_jce and task=profiles.import. Any external IP address that sent a POST to this endpoint after June 3, 2026, should be treated as an exploitation attempt. Requests to JCE's file upload path from the same source IPs represent stage two of the attack chain. Look for URL patterns containing option=com_jce alongside task=plugin and imgmanager strings.
In the Joomla database, query the #__jce_profiles table for any profile not created by a verified administrator. Attackers insert profile records as part of stage one and these records persist even after PHP web shell files are deleted, acting as latent backdoor configuration entries that re-enable upload bypass if the attacker returns.
In the file system, search for PHP files inside web-accessible media directories. The command find /path/to/joomla/images -name "*.php" -type f surfaces any PHP files in the images directory, which should contain only media assets in a clean installation. Extend this check to media/, uploads/, and tmp/ directories. Any PHP file with a creation timestamp after your last verified upload is a web shell candidate.
Common web shell filenames include randomized names designed to blend with legitimate files, as well as generic names like shell.php, c99.php, or names mimicking Joomla component files. Treat any unexpected PHP file in a media directory as confirmed compromise until proven otherwise.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch and Remediate CVE-2026-48907 Before the Weekend
Patching JCE to 2.9.99.5 closes the profile import attack path. Remediation for sites that may already be compromised requires additional steps that the patch alone does not complete.
The update is available through Joomla's standard extension update mechanism. Navigate to Extensions > Manage > Update in the Joomla admin panel, check for updates, and apply the JCE update. If the update does not appear, install version 2.9.99.5 directly from the Widget Factory website. Verify the installed version in Extensions > Manage > Manage after the update completes.
For sites where JCE cannot be updated immediately, a WAF rule blocking POST requests to any URL containing com_jce and task=profiles.import eliminates the attack surface at the network layer. Treat this as a temporary control, not a permanent fix.
This attack class mirrors the pattern of unauthenticated remote code execution vulnerabilities targeting web infrastructure where a single unpatched endpoint on an internet-facing server provides a direct path to full server compromise. The remediation steps below should be completed in order.
Update JCE to version 2.9.99.5 or later
Navigate to Extensions > Manage > Update in your Joomla admin panel and apply the JCE update. This closes the unauthenticated profile import endpoint immediately. Verify the installed version shows 2.9.99.5 in Extensions > Manage > Manage after the update completes.
Audit the #__jce_profiles database table for rogue entries
Log into phpMyAdmin or your database client and run SELECT * FROM your_prefix_jce_profiles. Delete any profile not created by a verified administrator. Attackers leave these records after exploitation and can re-enable upload bypass by reactivating a rogue profile.
Search web-accessible directories for unexpected PHP files
Run find /path/to/joomla/images -name '*.php' -type f and repeat for media/, uploads/, and tmp/. Any PHP file in these directories is a web shell candidate. Remove all unexpected PHP files and audit directory modification timestamps.
Review access logs for POST requests to the JCE profile endpoint
Grep your web server access logs for POST requests containing com_jce and task=profiles.import. Any external IP hitting this endpoint after June 3, 2026, represents an exploitation attempt. Document source IPs for threat intelligence and block them at the perimeter.
Rotate all credentials stored in configuration.php
Change the Joomla database password, FTP credentials, Joomla administrator account passwords, and any API keys stored in configuration.php if compromise is suspected. A web shell grants read access to this file in plaintext.
Add a WAF rule blocking the JCE profile import endpoint
Configure a Web Application Firewall rule to block POST requests to any URL containing option=com_jce and task=profiles.import. This provides defense in depth independent of the JCE patch status and blocks automated scanner hits during any update window.
Verify file system integrity before returning to normal operations
Compare your Joomla installation against a known-good backup using a file integrity monitor or diff against a clean download. Confirm no PHP web shells, modified .htaccess files, or injected scripts remain after removing rogue JCE profiles and unexpected PHP files.
Why Joomla JCE CVE-2026-48907 Matters for Your Organization
CVE-2026-48907 is not a Joomla core vulnerability. It is an extension vulnerability. That distinction matters operationally. Joomla's built-in update notifications cover core software, but extension updates require separate monitoring. Organizations that apply Joomla core patches diligently but lack an extension inventory and update process carry full exposure to CVE-2026-48907 even with a fully current core installation.
The extension attack surface is a documented blind spot in CMS security programs. A 2026 analysis of Joomla compromises found that the majority of successful intrusions targeted extensions rather than Joomla core, because extension code paths receive less security review scrutiny and take longer to patch across the installed base. CVE-2026-48907 follows this pattern: the JCE patch released June 3, but CISA confirmed active exploitation 13 days later, meaning a significant portion of the JCE user base had not updated within two weeks of a critical fix.
For organizations hosting public-facing Joomla sites, the downstream risks extend beyond website defacement. A compromised Joomla server that stores donor data, patient portal links, constituent contact information, or financial records carries breach notification obligations under state privacy laws, HIPAA, and similar frameworks. The cost of a post-exploitation breach notification response consistently exceeds the cost of an extension update program by two to three orders of magnitude.
The remediation window before the weekend is closing. Automated scanning campaigns targeting CVE-2026-48907 do not pause for weekends. Any Joomla site with an unpatched JCE installation that remains accessible carries confirmed active exploitation risk for 48 additional hours before Monday business operations resume. One patch, applied today, eliminates that risk entirely.
The bottom line
Joomla JCE CVE-2026-48907 is a CVSS 10.0 unauthenticated web shell vulnerability with confirmed active exploitation, a public proof-of-concept, and a federal remediation deadline of today. Any Joomla site running JCE 2.9.99.4 or earlier is a live target right now. Three actions before tonight: update JCE to 2.9.99.5, audit the #__jce_profiles database table for rogue entries, and search images/ and media/ directories for unexpected PHP files. If you find a web shell, rotate all credentials before restoring service.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-48907?
CVE-2026-48907 is a CVSS 10.0 improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension. It allows any unauthenticated attacker to create a rogue editor profile by sending a single HTTP POST request, then use that profile to upload and execute PHP code on the affected web server. CISA added it to the Known Exploited Vulnerabilities catalog on June 16, 2026, confirming active in-the-wild exploitation across internet-accessible Joomla sites.
Which versions of Joomla JCE are vulnerable?
All JCE versions from 1.0.0 through 2.9.99.4 are affected by CVE-2026-48907. Widget Factory released the patched version 2.9.99.5 on June 3, 2026. Sites running any version prior to 2.9.99.5 are exposed to unauthenticated code execution. Check your installed version at Extensions > Manage > Manage in the Joomla admin panel. Version 2.9.99.6 is the current fully hardened release as of June 2026.
How does CVE-2026-48907 work step by step?
An unauthenticated attacker sends a crafted HTTP POST to index.php?option=com_jce&task=profiles.import. JCE creates a rogue editor profile without verifying the requester holds an authenticated session. The rogue profile relaxes upload restrictions in JCE's file manager. The attacker submits a PHP payload through the file upload interface, which accepts it under the permissive profile settings. The PHP file is stored in a web-accessible directory. The attacker then GET-requests the file URL, and the web server executes the PHP code, giving the attacker full persistent server access.
Is Joomla core software affected or only the JCE extension?
Only the JCE extension is affected by CVE-2026-48907. Joomla core software is not vulnerable to this specific attack. CVE-2026-48907 targets the Widget Factory Joomla Content Editor, a third-party extension installed separately from core. Sites running Joomla without the JCE extension are not exposed to this vulnerability. However, sites with JCE installed carry exposure regardless of how current their Joomla core installation is, because extension updates are tracked separately.
How do I know if my Joomla site was already compromised by CVE-2026-48907?
Check three places. First, review web server access logs for POST requests to any URL containing com_jce and task=profiles.import after June 3, 2026. Any such request from an external IP is an exploitation attempt. Second, query the #__jce_profiles database table for any profile not created by a verified administrator. Third, search images/, media/, uploads/, and tmp/ directories for any PHP files, which should not exist there in a clean installation.
What is the patch for CVE-2026-48907?
Update JCE to version 2.9.99.5 or the current latest release (2.9.99.6 as of June 2026). Apply the update through Extensions > Manage > Update in the Joomla admin panel. If the update does not appear automatically, download it directly from the Widget Factory website and install it manually. Patching closes the unauthenticated profile import endpoint but does not remove any web shells or rogue profiles already placed by attackers before the update was applied.
How do I detect CVE-2026-48907 exploitation attempts in my access logs?
Search web server access logs for POST requests containing the string com_jce combined with task=profiles.import. This is the specific endpoint the attack targets in stage one. Also check for follow-up requests to JCE upload paths containing option=com_jce alongside task=plugin and imgmanager from the same source IPs. Requests to these paths from any IP other than known administrator workstations after June 3, 2026 indicate active targeting or successful exploitation.
What do attackers do after successfully exploiting CVE-2026-48907?
Attackers read configuration.php to extract database credentials in plaintext, then connect to the database to steal user records, form data, and personally identifiable information stored by the site. They deploy secondary web shells across multiple directories for persistence and may modify .htaccess files to inject malicious scripts into all site pages. In cases where the Joomla server has internal network access, attackers use the compromised host as a pivot point for scanning internal systems and escalating access beyond the web server.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
