Unauthenticated RCE in Joomla Content Editor (JCE) Profile Import (CVE-2026-48907)
by Widget Factory (vendor); public exploit author unknown (0xgh057r3c0n PoC) · 2026-07-01
- Severity
- Critical
- CVE
- CVE-2026-48907
- Category
- web
- Affected product
- Joomla Content Editor (JCE) extension by Widget Factory
- Affected versions
- 1.0.0 through 2.9.99.4
- Disclosed
- 2026-07-01
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-01 |
| Last Updated | 2026-06-16 |
| Author / Researcher | Widget Factory (vendor); public exploit author unknown (0xgh057r3c0n PoC) |
| CVE / Advisory | CVE-2026-48907 |
| Category | web |
| Severity | Critical |
| CVSS Score | 10.0 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, unauthenticated, Joomla, JCE, CMS, access-control, webshell, php-webshell, file-upload, CISA-KEV, active-exploitation |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Joomla Content Editor (JCE) extension by Widget Factory |
| Versions Affected | 1.0.0 through 2.9.99.4 |
| Language / Platform | PHP (target); Python (PoC) |
| Authentication Required | No |
| Network Access Required | Yes (HTTP to Joomla site with JCE installed) |
Summary
CVE-2026-48907 is a critical improper access control vulnerability in the JCE extension for Joomla. The profile import workflow (index.php?option=com_jce&task=profiles.import) is missing sufficient authorization checks, letting unauthenticated users create new editor profiles and abuse the import functionality to upload arbitrary PHP files, with additional bypass of file-type/MIME-type restrictions. Successful exploitation drops a PHP payload on the server and executes it, achieving unauthenticated remote code execution. A public exploit appeared 2026-06-09, and within 24 hours attackers compromised Joomla’s own infrastructure (extensions.joomla.org, community.joomla.org, certification.joomla.org). CISA added this to KEV on 2026-06-16 with FCEB remediation due 2026-06-19.
Vulnerability Details
Root Cause
Missing/insufficient authorization on JCE’s profile-import task allows unauthenticated creation of new editor profiles. The import handler does not adequately validate uploaded profile content, allowing a PHP file to be smuggled through and ultimately written to a web-accessible path.
Attack Vector
- Retrieve a CSRF token from the target Joomla site’s homepage.
- Submit a crafted XML “profile” import to
index.php?option=com_jce&task=profiles.import, smuggling a PHP webshell. - The malicious profile import writes the PHP payload to a predictable/discoverable path (e.g. under
/tmp/or JCE’s media directory). - Request the uploaded file directly to achieve code execution.
Impact
Full unauthenticated remote code execution on the underlying Joomla host — attacker-controlled PHP execution with the privileges of the web server.
Environment / Lab Setup
Target: Joomla site with JCE 1.0.0 - 2.9.99.4 installed
Attacker: Python 3 + requests
Proof of Concept
PoC Script
See
CVE-2026-48907.py(exploit) andCVE-2026-48907.yaml(Nuclei-style detection template) in this folder.
| |
Grabs a CSRF token from the target homepage, POSTs a crafted profile-import XML payload to smuggle a PHP webshell, then invokes the dropped shell for code execution. Supports batch/multi-target mode.
Detection & Indicators of Compromise
Signs of compromise:
- Unfamiliar PHP files with webshell characteristics in JCE-writable directories
- Joomla admin panel showing unrecognized editor profiles
- Outbound requests to newly-created PHP files shortly after a profile-import POST
Remediation
| Action | Detail |
|---|---|
| Primary fix | Update JCE to version 2.9.99.5 or later |
| Interim mitigation | Disable/restrict access to the JCE profile-import endpoint if immediate patching isn’t possible |
| Cleanup | Audit for and remove any unauthorized editor profiles and dropped PHP files if compromise is suspected |
References
- CVE-2026-48907 - CISA KEV
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
- Source repository (0xgh057r3c0n)
Notes
Auto-ingested from https://github.com/0xgh057r3c0n/CVE-2026-48907 on 2026-07-01. This CVE has 12+ independently written, verified-working public PoCs, indicating trivial reproducibility. Do not confuse with CVE-2026-48908 (a different Joomla vulnerability — “SP Page Builder” extension — already tracked in this archive).
| |