PT-2026-46908 · Joomla · Jce Editor
David Jardin
+1
·
Published
2026-06-03
·
Updated
2026-07-13
·
CVE-2026-48907
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red |
Name of the Vulnerable Software and Affected Versions
Widget Factory Joomla Content Editor (JCE) versions 1.0.0 through 2.9.99.4
Description
An improper access control issue in the JCE editor extension for Joomla allows unauthenticated users to create new editor profiles. This flaw enables the upload and execution of arbitrary PHP code on affected servers. The issue has been actively exploited in the wild, leading to the installation of web shells and persistent backdoors for ongoing unauthorized access and control.
Recommendations
Update Widget Factory Joomla Content Editor (JCE) to version 2.9.99.5.
Review access logs and profiles for signs of unauthorized user activity.
Exploit
Fix
RCE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jce Editor