Critical Vulnerability in Content Editor Extension for Joomla (CVE-2026-48907)
Executive Summary
On the 12th of June, The Joomla Content Editor (JCE) maintainers released an advisory regarding their recent security updates. Namely, CVE-2026-48907 describes a maximum-severity (CVSS 10.0) unauthenticated remote code execution vulnerability in the JCE extension, affecting all versions from 1.0.0 through 2.9.99.4. The flaw allows any unauthenticated attacker to upload arbitrary PHP files and execute code on the target server. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on June 16, 2026, confirming active exploitation in the wild, with automated scanning campaigns already targeting the approximately 2.5 million active Joomla sites worldwide.
Given the release of the patches, we advise affected individuals to update Joomla plugins immediately. Information regarding updating can be found in the Patches section below.
Affected Systems or Products
For clarification, a fix was provided in version 2.9.99.5, and additional hardening was added in 2.9.99.6. Widget Factory recommends affected clients upgrade to 2.9.99.6.
Mitigations / Workarounds
The June 6 patch (version 2.9.99.6) is the current fully hardened release and should be applied if possible. If that cannot be done, there are some general mitigation steps that can be applied:
- Disable PHP execution in upload directories:
- On Apache, place a .htaccess file inside every upload directory blocking
.php,.phtml,.phar, and.php5extensions. - On NGINX, use a location block to deny PHP execution within images, media, tmp, and uploads directories.
- On Apache, place a .htaccess file inside every upload directory blocking
- PHP configuration hardening: In php.ini, disable dangerous functions:
exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source. - Administrative interface restriction: Enable IP allowlisting for administrative interfaces (e.g., restrict /administrator to VPN or office IP ranges) and enforce MFA on all admin accounts.
Patches
Patches and instructions were provided by the component developer in their advisory. As mentioned above, version 2.9.99.5 includes baseline fixes for the root issues related to the profile import endpoint. Version 2.9.99.6 added further hardening around the processing of user-supplied XML data to that endpoint. Widget Factory strongly recommends affected users update to the 2.9.99.6 patch.
Technical Details
Technical details of the vulnerability along with proof-of-concept (PoC) code were published by researchers at YesWeHack on the same day as the official advisory from JCE. The CVE is comprised of multiple issues, all related to the following Widget Factory JCE component API endpoint:
/index.php?option=com_jce&task=profiles.import
This endpoint is accessible without authorization and does not restrict uploads to only process profiles, allowing attackers to connect to the endpoint and upload arbitrary data that will get processed by the JCE component.
While the endpoint is meant to ingest and process XML file data, insufficient filtering in the vulnerable releases allows threat actors to upload arbitrary PHP files to be processed and stored. As a result, the underlying File::upload function is invoked with an $allow_unsafe = true parameter, which effectively bypasses Joomla's extension safety mechanisms. Together, these issues allow attackers to directly upload reverse shells and execute malicious code on a target machine.
Affected organizations can monitor and hunt for suspicious requests to the above-mentioned endpoint as an indicator of attack. Malicious requests to that endpoint will contain non-XML file content.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
- https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites
- https://nvd.nist.gov/vuln/detail/CVE-2026-48907
- https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.yeswehack.com/news/rce-joomla-content-editor-extension
- https://deafnews.it/en/news/vulnerabilities/cisa-adds-joomla-jce-to-kev-pre-auth-rce-cvss-100
Aware of an incident impacting your industry? Let us know: