CVE-2026-48907 CRITICAL

CVE-2026-48907: Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

Vendor Joomlacontenteditor.net

Product Joomla Content Editor (JCE) extension for Joomla

Weakness CWE-284

Published June 5, 2026

Last update June 5, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

What the vulnerability does

Description

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

Key dates

Disclosure timeline

June 5, 2026 CVE published

June 5, 2026 Record updated

Identifiers

CVE CVE-2026-48907

CWE CWE-284

CVSS 10.0 / CRITICAL

Affected versions

Vendor Joomlacontenteditor.net

Product Joomla Content Editor (JCE) extension for Joomla

Affected 1.0.0-2.9.99.4