CVSS 10.0 JCE Editor Vulnerability in Joomla Actively Exploited and Scanned on GitHub

CVE‑2026‑48907 in Joomla's popular JCE editor scores a perfect CVSS 10.0, is listed in CISA's KEV catalog as actively exploited, and can be triggered by an unauthenticated attacker with just three HTTP requests, prompting urgent patching and thorough post‑patch forensics.

Black & White Path
Black & White Path
Black & White Path
CVSS 10.0 JCE Editor Vulnerability in Joomla Actively Exploited and Scanned on GitHub

Vulnerability Overview

CVE‑2026‑48907 is a critical improper‑access‑control flaw in the Joomla Content Editor (JCE) that allows unauthenticated remote code execution (RCE). The vulnerability receives a CVSS v4 score of 10.0. It affects JCE versions 1.0.0 through 2.9.99.4 . Widget Factory released version 2.9.99.5 on 2026‑06‑03 to fix the issue and added a hardening release 2.9.99.6 on 2026‑06‑10.

Three‑Layer Attack Chain

1. Missing Authorization Check

The import endpoint /index.php?option=com_jce&task=profiles.import validates only a CSRF token. Joomla embeds a valid token in every public page, so an attacker can capture the token and invoke the endpoint without any user‑identity verification (no Factory::getUser() or $user->authorise(...) call).

2. No File‑Extension Validation

Uploaded filenames are processed by File::makeSafe(), which strips illegal OS characters but does not enforce an extension whitelist. Consequently, double‑extension payloads such as nuclei-deadbeef.xml.php bypass the check and are stored with a .php suffix.

3. allow_unsafe=true Disables the Final Safeguard

The core upload method

File::upload($src, $dest, $use_streams = false, $allow_unsafe = false)

normally enables a blacklist of dangerous extensions. The exploit passes true as the fourth argument, turning off this blacklist and allowing the malicious .php file to be written to the tmp/ directory where the web server can execute it.

Complete Exploit Flow (Three HTTP Requests)

Step 1: Visit any page on the target site and extract a valid CSRF token from the HTML or JavaScript.

Step 2: Send a crafted multipart POST request to /index.php?option=com_jce&task=profiles.import with the captured token and a file named nuclei-deadbeef.xml.php containing a PHP payload (e.g., <?= 45*69 ?>). The server responds 200 OK and writes the file to /var/www/html/tmp/nuclei-deadbeef.xml.php.

Step 3: Access the uploaded file via /tmp/nuclei-deadbeef.xml.php. The response body returns 3105 (the result of 45 × 69), confirming successful code execution.

The entire chain requires no session cookie, username, or password.

Patch Analysis – Six Mitigation Layers in 2.9.99.5

Authorization Check: All admin actions now require the core.manage permission; visitors (ID = 0) are denied.

Extension Whitelist: Only .xml files are accepted; PATHINFO_EXTENSION extracts the final suffix to block double‑extension bypasses.

Unsafe Flag Reset: $allow_unsafe is restored to false, re‑enabling the dangerous‑extension blacklist.

File Size Limit: Uploads are limited to 512 KB, preventing large malicious payloads.

XXE Protection: For PHP 7.x the code calls libxml_disable_entity_loader(true) to mitigate XML external entity attacks.

Field Whitelist: Only predefined XML fields (e.g., name, rows, plugins) are processed; all other keys are ignored.

GitHub Scanning Tool

A public repository gh1mau/masta-cve-2026-48907 provides a scanner that can fingerprint Joomla/JCE installations, check affected versions, detect WAFs, perform multithreaded bulk scans with proxy support, output results as cards or Excel reports, and optionally execute an intrusive proof‑of‑concept against targets. The intrusive PoC feature has generated community debate about legality.

Emergency Response Recommendations

Immediate Action: Upgrade JCE to 2.9.99.6 or later.

Temporary Mitigation: Use a CDN or WAF to block access to the /component/jce/ path.

Deep Investigation (for potentially compromised sites):

Check the JCE admin backend for unknown editor profile files.

Audit web‑server access logs for unauthorized requests to index.php?option=com_jce&task=profiles.import.

Inspect the tmp/ directory for unexpected PHP files, especially those with early timestamps or random hashes.

Search for residual web shells left by attackers.

Legacy Sites: Apply the free “jce‑pro older sites patch” provided by the JCE project if immediate upgrading is impossible.

Conclusion

CVE‑2026‑48907 exemplifies a textbook “three‑weakness chain”: missing authorization, no extension validation, and allow_unsafe=true together yield an unauthenticated RCE with a perfect CVSS score. CISA’s confirmation of active exploitation, the public availability of exploit code, and the emergence of GitHub scanning tools underscore the urgency for Joomla site operators to patch promptly and conduct thorough post‑patch forensics.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

PATCHRemote Code ExecutionJCECISAJoomlaCVE-2026-48907GitHub scanner
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.