CVE-2026-48907
Published Jun 5, 2026
Last updated 10 days ago
- Description
- A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
- Source
- security@joomla.org
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
- Severity
- CRITICAL
- security@joomla.org
- CWE-284
- Hype score
- Not currently trending
1/6 🚨 Today’s top signals from the June 23 AI Security & Cyber Brief: • Joomla JCE RCE (CVE-2026-48907) – CISA added to KEV June 16. Actively exploited. Unauthenticated attackers upload PHP via profile import endpoint → full RCE on ≤2.9.99.4. Automated scans hitt
@seoscottsdale
23 Jun 2026
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
6 Replies
0 Quotes
⚠️ ثغرة بدرجة خطورة قصوى في إضافة Joomla Content Editor تحت استغلال فعلي تتيح رفع وتنفيذ شيفرة PHP دون مصادقة المعرّف : CVE-2026-48907 درجة الخطورة : 10.0 (CVSS) - Critical الإصدارا
@KasperskyDev
23 Jun 2026
71 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical Joomla Content Editor flaw is being mass exploited to deploy webshells. The @CISAgov added CVE-2026-48907 to KEV and gave agencies three days to patch. #cybersecurity #CISO #infosec https://t.co/lU0QwjjUWP
@SCMagazine
21 Jun 2026
339 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Any site running the Joomla Content Editor can be taken over by unauthenticated attackers. CISA flagged CVE-2026-48907 (max severity 10.0) as actively exploited: create an editor profile, upload and run PHP code. Public exploit, automated attacks. Fix: JCE 2.9.99.5.
@ShortInfoNews
20 Jun 2026
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
JCE (Joomla Content Editor) — Критическая уязвимость CVE-2026-48907 https://t.co/PlIc8WH38C #crimeakarro #karrolinux #itservicelinux
@ASPbazi
19 Jun 2026
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-48907: How the Joomla JCE Exploit Works and What to Do About It: CVE-2026-48907 in the Joomla JCE plugin lets unauthenticated attackers drop PHP web shells with a single crafted request. Here is how the attack works and how to check if your site… https://t.co/yDNHOJKoB
@shah_sheikh
18 Jun 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA warns of active exploitation of Joomla JCE vulnerability CVE-2026-48907. CVSS 10.0. Patch to 2.9.9 9.5 by June 19 or risk compromise. https://t.co/WyB59WiBD3 #CVE #Joomla #JCE #RCE #CVSS10 #KEVcatalog #CISA #WidgetFactory #JoomlaSecurity #WebShell https://t.co/J1RmT6XnOy
@redsecuretech
17 Jun 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Joomla JCE Critical Alert CVE-2026-48907 is actively exploited and added to CISA KEV. ✅ Update JCE 2.9.99.5+ ✅ Check for web shells ✅ Review admin users https://t.co/WiLjn70k0f #CyberSecurity #Joomla #CVE #CISA #Vulert
@vulert_official
17 Jun 2026
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Joomla JCE CVE-2026-48907 and LiteSpeed cPanel CVE-2026-54420 are being actively exploited, enabling file uploads, PHP execution, and possible root escalation on shared hosting servers. #Joomla #LiteSpeed #CISA https://t.co/o3etmdvGBO
@TweetThreatNews
17 Jun 2026
192 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 JCE (Joomla Content Editor) is being actively exploited. CVE-2026-48907: unauthenticated attackers upload PHP webshells to any affected Joomla site. CISA added it to KEV on June 16. Federal patch due June 19. 🧵 #CVE #KEV https://t.co/9IdJYLDF1Z
@cloudkey_tech
17 Jun 2026
5 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-48907 - Joomla JCE Editor Unauthenticated RCE https://t.co/73oTMralti
@d4rk_c0r3
14 Jun 2026
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-48907 - Joomla JCE Editor Unauthenticated RCE https://t.co/73oTMralti
@d4rk_c0r3
14 Jun 2026
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 #CVE-2026-48907: Critical Unauthenticated RCE Flaw in Joomla Content Editor – Patch Now! + Video https://t.co/A68xFugiLJ Educational Purposes!
@UndercodeUpdate
14 Jun 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2026-48907 - critical 🚨 Joomla! JCE extension < 2.9.99.5 unauthenticated RCE > Joomla JCE editor extension contains an unrestricted file upload vulnerability caused... 👾 https://t.co/50fCeQphBb @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
13 Jun 2026
176 Impressions
1 Retweet
0 Likes
3 Bookmarks
0 Replies
0 Quotes