Black & White Path

Jun 15, 2026 · Information Security

CVSS 10.0 Critical: Unauthenticated RCE in Joomla JCE Editor (CVE‑2026‑48907)

A CVSS 10.0 unauthenticated remote code execution vulnerability (CVE‑2026‑48907) in Joomla's JCE Editor allows attackers to upload malicious PHP files via the profiles.import endpoint, affect all JCE versions up to 2.9.99.4, and can be exploited with the JoomlaSniper tool, while mitigation requires upgrading to JCE 2.9.99.5 or blocking PHP execution in /tmp/ and /images/.