CVE-2026-48907 PUBLISHED

Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

Assigner: Joomla
Reserved: 26.05.2026 Published: 05.06.2026 Updated: 05.06.2026

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
CVSS Score: 10

Product Status

Vendor joomlacontenteditor.net
Product Joomla Content Editor (JCE) extension for Joomla
Versions Default: unaffected
  • Version 1.0.0-2.9.99.4 is affected

Credits

  • David Jardin finder
  • Uwe Flottemesch finder

References

Problem Types

  • CWE-284 Improper Access Control CWE

Impacts

  • CAPEC-242: Code Injection