A maximum-severity improper access control flaw in the Joomla Content Editor (JCE) extension (CVE-2026-48907, CVSS 10.0) lets any unauthenticated attacker upload a rogue editor profile containing a PHP web shell. CISA added it to its Known Exploited Vulnerabilities catalog on June 16, 2026 and ordered federal agencies to patch by June 19. The flaw is fixed in JCE 2.9.99.5 — but Joomla's own warning makes clear that patching stops future access while leaving behind anything already uploaded.

What the Vulnerability Is

JCE's profile-import feature lacked any authentication check. The index.php?option=com_jce&task=profiles.import endpoint would accept editor profile archives from anyone on the internet, with no login required. Attackers found that a specially crafted profile archive can include a PHP file that JCE places in a web-accessible directory, turning a content-editor import into a persistent backdoor. The flaw covers every JCE release from 1.0.0 through 2.9.99.4 — effectively the full version history up to the June 3 patch.

Why It Matters

  • CVSS 10.0 — no authentication, no user interaction, network-accessible, full system impact.
  • Automated attacks in the wild. Joomla explicitly warned: "the attacks are automated, so a site with no public registration is not safe." Disabling open registration does not block exploitation.
  • Persistence survives patching. The update closes the upload door but leaves any web shell an attacker already placed. Compromised sites need active cleanup, not just an upgrade.
  • CISA KEV with a 3-day federal remediation window, reflecting confirmed in-the-wild attacks.
  • Attackers have been observed using the web shell to gain unrestricted read/write access to the entire server file system over HTTP.

Am I Affected?

You are exposed if you run any version of Joomla with the JCE editor extension (free or Pro) installed and enabled, and the JCE version is between 1.0.0 and 2.9.99.4 (check via Extensions → Manage → Installed). If the site is publicly reachable, restricting user registration does not prevent exploitation.

What to Do About It

1. Update JCE immediately

From your Joomla admin panel, go to Extensions → Manage → Update and confirm JCE shows version 2.9.99.5 or later afterward. You can also download directly from joomlacontenteditor.net. Widget Factory also released a free patch for sites still running older JCE versions.

2. Audit for active compromise

Check your web server access logs for the import endpoint:

grep -i "task=profiles.import" /var/log/apache2/access.log
grep -i "task=profiles.import" /var/log/nginx/access.log

Requests hitting this endpoint from random IPs — especially around or before June 3 — are a strong indicator of attempted exploitation.

3. Hunt for dropped web shells

# Find recently modified PHP files in the Joomla uploads/JCE directories
find /var/www/html -name "*.php" -newer /var/www/html/configuration.php -ls

# Look in common JCE profile storage paths
find /var/www/html/images /var/www/html/media -name "*.php" -ls

4. Review suspicious editor profiles

In the Joomla admin panel, go to Components → JCE → Editor Profiles and delete any profiles you don't recognize — particularly any added recently.

5. Block the endpoint at the WAF/web server level

If you cannot update immediately, block the vulnerable endpoint as a belt-and-suspenders measure.

NGINX:

location ~* "option=com_jce.*task=profiles\.import" {
    deny all;
    return 403;
}

Apache .htaccess:

RewriteCond %{QUERY_STRING} task=profiles\.import [NC]
RewriteRule .* - [F,L]

6. If you find a web shell

  • Take the site offline.
  • Restore from a clean backup taken before the attack window.
  • Rotate all Joomla database credentials and FTP/SSH credentials.
  • Review server logs for lateral movement.

Quick-Win Checklist

  • Updated JCE to 2.9.99.5 or applied Widget Factory's free legacy patch.
  • Searched access logs for task=profiles.import requests.
  • Scanned JCE profile storage directories for unexpected .php files.
  • Reviewed and cleaned the Editor Profiles list in Joomla admin.
  • Added a WAF/server rule blocking the import endpoint as an extra layer.
  • Rotated credentials if any suspicious access was found.

Sources