CVE-2026-48907
Description
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
CVSS Details
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red Threat Intelligence
- Added
- Jun 16, 2026
- Due
- Jun 19, 2026
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Weaknesses 1
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| widgetfactorylimited | jce | * | <2.9.99.5 |
References 3
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907
- joomlacontenteditor.net https://www.joomlacontenteditor.net/
- joomlacontenteditor.net https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.