Â
CVE-2026-48907 allows attackers to compromise Joomla sites with no login
required. Here is what the vulnerability does, how to tell if your site was hit, and
how to fix it.
If your Joomla website uses the JCE Editor extension, this needs your attention today, not at the end of the week.
CVE-2026-48907 is an actively exploited vulnerability in JCE Editor that requires no administrator login to execute. Attackers can reach a restricted part of JCE from the outside, create a malicious editor profile, and upload a PHP web shell to your server, all without a single valid password.
The vulnerability was patched in June 2026. But patching alone does not clean a site that was already hit. If your site was running a vulnerable version before the update, there is a real chance it is compromised right now, even if everything still looks normal on the front end.
This guide covers exactly what the vulnerability does, how to spot if your site was affected, and what to do to fix it.
Key Takeaways:
- CVE-2026-48907 allows unauthenticated attackers to upload malicious PHP files to Joomla sites
running JCE 2.9.99.4 and earlier. - The vulnerability is being actively exploited, and working exploit code is publicly available.
- Updating JCE closes the vulnerability, but does not remove anything an attacker may have already placed on your site.
- Any site running JCE before June 3, 2026 should be checked for rogue profiles, suspicious PHP files, and unknown administrator accounts.Â
- Patching, cleanup, and hardening are three separate steps. You need all three.
What Is JCE Editor?
JCE, short for Joomla Content Editor, is one of the most widely used extensions in the Joomla ecosystem. It replaces Joomla’s default editor with a more capable alternative, offering a richer editing experience, file browser tools, image management, and a profile system that lets administrators control exactly what different users can upload and access inside the editor.
That profile system is central to how JCE works, and it is exactly what this vulnerability targets.
What CVE-2026-48907 Actually Does
The vulnerability is an improper access control flaw. In plain language, a part of JCE that should only be available to logged-in administrators, could be reached by anyone, including unauthenticated visitors.
The attack path is short and fully automated:
1. The attacker sends a request to the JCE profile import endpoint, with no login required.
2. A rogue editor profile is created or imported that re-enables dangerous upload types, including .php files, with MIME validation turned off.
3. The attacker uploads a PHP web shell through that profile.
4. The shell sits in a publicly accessible folder, such as /images, /media, or /tmp, and waits.
5. The attacker runs the shell from a browser, gaining the ability to execute code on your server.
From there, the possibilities are serious: stolen database credentials, added administrator accounts, modified files, injected malware, email spam, redirects, and backdoors that survive a simple extension update.
Why This is More Serious Than a Routine Update
Four things make CVE-2026-48907 worth treating urgently.
No login is required. This is not a vulnerability that only applies to sites with weak passwords or public registration. It requires nothing from your visitors or users.
The exploit code is public. Working attack code has been available on GitHub since June 9, 2026. That means the barrier to exploiting this is low for anyone who wants to run automated attacks across hundreds or thousands of JCE installs.
It is actively exploited. CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog on June 16, 2026. CISA only lists a vulnerability there when it has confirmed evidence of exploitation in the wild. The Joomla project’s own official sites, including extensions.joomla.org, were taken offline by this same attack.Â
Patching is not cleaning. Updating JCE to 2.9.99.7 closes the door. It does not remove rogue profiles, web shells, or backdoor files that were placed before the update. If your site were vulnerable, you need to check it, not just update it.
Affected Versions
JCE versions 1.0.0 through 2.9.99.4 carry the vulnerability. The fix was released in three stages:
| Version | Date | What it addresses |
|---|---|---|
| 2.9.99.5 | June 3, 2026 | Initial security patch closing CVE-2026-48907 |
| 2.9.99.6 | June 8, 2026 | Hardening release following a full internal audit |
| 2.9.99.7 | June 18, 2026 | Fixes upload regression from 2.9.99.6, adds permitted user groups whitelist. Recommended. |
Update to 2.9.99.7. If you are still running 2.9.99.5 or 2.9.99.6, update regardless, especially if you encountered upload issues after the June 8 release.
For sites running JCE 2.7.x or 2.8.x that cannot update immediately, the JCE developer has released a free security patch package. It closes the vulnerability but does not include the broader hardening from the later releases. Plan to update fully when possible.
How to Tell If Your Site Was Compromised
Updating is the first step. Checking for compromise is the second.
Look in JCE Editor Profiles first.
Go to Components, JCE Editor, Editor Profiles and review every profile listed. Look for:
•Profiles you did not create, including machine-generated names like J940401 or blunt labels like Pwned.
•Profiles with a very large negative ordering value, such as -99999, that pins them above your real profiles.
•Profiles where PHP, phtml, or txt files appear in the permitted upload types, with MIME validation disabled.
A rogue profile with PHP uploads enabled is the clearest sign that the attack occurred.
Check your files next.
PHP files should not be inside /images, /media, /tmp, or /cache. If you find them, treat them as suspicious. Common indicators include:
•Files with eval(gzinflate(base64_decode(…))) patterns inside.
•Small files named with random characters or ending in .php.xml or .php.jpg.
•Files referencing shell_exec, system, or passthru.
Review your server access logs.
Look for POST requests to the JCE profile import endpoint. The earliest matching request tells you when the attack reached your site, which matters if you are deciding whether a backup is clean.
Check your administrator user list.
Go to User Manager and look for accounts you do not recognize. Attackers routinely add super-administrator accounts once they have shell access, so they retain control even after the extension is patched.
How to Fix It: The Complete Sequence
1. Update JCE immediately. Go to Administrator, System, Update, Extensions and install JCE 2.9.99.7 or the latest available version. If the update does not appear, download directly from the official JCE website and install manually.Â
2. Update Joomla core. Do not stop at the extension. Make sure Joomla itself is fully patched. An updated CMS reduces the overall attack surface.Â
3. Review and delete rogue JCE profiles. Remove any profile you did not create. After cleanup, verify that no remaining profiles allow PHP or script file uploads.Â
4. Search for suspicious files. Scan /images, /media, /tmp, /cache, and any custom upload directory. Remove any PHP files that should not be there.Â
5. Run a server-side malware scan. Tools like ImunifyAV or ClamAV scan actual files on your hosting account, not just Joomla’s database. A Joomla admin extension scan alone is not sufficient.Â
6. Change all passwords. If there is any sign of compromise, rotate the Joomla administrator passwords, your hosting control panel password, FTP and SFTP credentials, and your database passwords.Â
7. Restore from backup if needed. If you find malicious files, the safest resolution is restoring from a clean backup taken before
Hardening Steps to Take After Cleanup
Once the site is clean and patched, reduce the risk of future incidents:
• Restrict file upload extensions in JCE profiles to only what each user group actually needs.
• Disable PHP execution in image and media upload directories where your hosting allows it.
• Enable two-factor authentication for all administrator accounts.
• Remove Joomla extensions that are unused or no longer maintained.
• Run regular file integrity checks and automated backups.
• Review administrator accounts periodically and remove accounts that should not be there.
These steps protect against future attacks. They do not resolve a site that is currently compromised. If you found rogue profiles or suspicious files, complete the cleanup sequence above first.
The One Thing Most Site Owners Miss
Updating JCE is the right move. It is also not enough on its own.
If your site was running a vulnerable version before June 3, 2026, an attacker may have already used that window. Updating closes the entry point, but a web shell that was uploaded before the patch is still sitting on your server. It does not disappear when you update the extension.
The only way to know your site is actually clean is to check it.
Attackers often leave backdoors that are inactive until needed. A clean-looking front end is not confirmation that the site is clean.
IDL Can Help
At IDL Web Inc., we have been maintaining and recovering Joomla sites for over ten years. We have seen what this attack leaves behind on live sites, rogue profiles, obfuscated shells, added admin accounts, and backdoors embedded in legitimate-looking files. We know what a clean site looks like and what a compromised one looks like, because we have cleaned them.
If you manage a portfolio of Joomla sites and want to verify them quickly, or if you suspect one of your sites was already hit, we can help. We offer dedicated malware cleanup and Joomla maintenance, and support services, and we start every engagement with a clear picture of what was found and what it will take to resolve it.