PT-2026-46908 · Joomla · Jce Editor

David Jardin

+1

·

Published

2026-06-03

·

Updated

2026-07-13

·

CVE-2026-48907

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Name of the Vulnerable Software and Affected Versions Widget Factory Joomla Content Editor (JCE) versions 1.0.0 through 2.9.99.4
Description An improper access control issue in the JCE editor extension for Joomla allows unauthenticated users to create new editor profiles. This flaw enables the upload and execution of arbitrary PHP code on affected servers. The issue has been actively exploited in the wild, leading to the installation of web shells and persistent backdoors for ongoing unauthorized access and control.
Recommendations Update Widget Factory Joomla Content Editor (JCE) to version 2.9.99.5. Review access logs and profiles for signs of unauthorized user activity.

Exploit

Fix

RCE

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08425
CVE-2026-48907

Affected Products

Jce Editor