—

CVE-2026-48907KEVEXPLOITED

joomlacontenteditor.net · joomla content editor (jce) extension for joomla

Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

Description

Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.

Affected Products

Vendor	Product	Versions
joomlacontenteditor.net	joomla content editor (jce) extension for joomla	1.0.0-2.9.99.4, 2.9.99.5

References

https://www.joomlacontenteditor.net/(product)
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-48907.yaml(exploit, nuclei)

Related News (4 articles)

Tier D

BleepingComputer2h ago

CISA orders feds to patch max severity Joomla plugin flaw by Friday

→ No new info (linked only)

Tier D

SecurityWeek5h ago

Joomla, LiteSpeed Vulnerabilities Exploited in Attacks

→ No new info (linked only)

Tier D

The Hacker News7h ago

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

→ No new info (linked only)

Tier C

VulDB12d ago

CVE-2026-48907 | joomlacontenteditor Content Editor Extension up to 2.9.99.4 on Joomla JCE Editor Extension access control

CISA KEV✅ Yes

Actively exploited✅ Yes

CWECWE-284, CWE-20

PublishedJun 5, 2026

Last enriched1h agov5

Community Vote

0 upvotes0 downvotes

No votes yet

Vulnerability Timeline

CVE Published

Jun 5, 2026

Added to CISA KEV

Jun 5, 2026

Discovered by ZDM

Jun 5, 2026

Updated: severity, activelyExploited

Jun 5, 2026

Actively Exploited

Jun 17, 2026

Exploit Available

Jun 17, 2026

Updated: cweIds

Jun 17, 2026

Updated: description, affectedVersions, tags

Jun 17, 2026

Updated: description

Jun 17, 2026

Version History

Last enriched 1h ago

v5Tier D1h ago

Updated description with more technical detail, changed severity to HIGH, updated CVSS estimate to 9.8, and added patch version 2.9.99.6.

description

via BleepingComputer

v4Tier D4h ago

Updated description with technical details, changed severity to HIGH, added CVSS estimate of 7.5, specified affected version 2.9.99.5, provided patch version 2.9.99.6, and included IoCs and MITRE ATT&CK technique T1203.

descriptionaffectedVersionstags

via SecurityWeek

v3Tier D5h ago

Updated severity to CRITICAL and CVSS score to 10.0, and added new CWE-20.

cweIds

via The Hacker News

v2Tier C12d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v112d ago

Initial creation

Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

Description

Affected Products

References

Related News (4 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History