Description
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
Published: 2026-06-05
Score: 10 Critical
EPSS: 80.4% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, a CWE‑284 Improper Authorization flaw, in the Joomla Content Editor (JCE) extension permits unauthenticated users to create new editor profiles that allow PHP code uploading and execution, giving an attacker the ability to run arbitrary code on the web server.

Affected Systems

The vulnerability affects the JCE extension for Joomla shipped by joomlacontenteditor.net. All installations using JCE versions prior to 2.9.99.5 are susceptible.

Risk and Exploitability

The issue is rated with a CVSS score of 10, indicating critical severity. The EPSS score is 80%, indicating a high exploitation probability, and the vulnerability is listed in CISA KEV. Its remote, unauthenticated nature means an attacker can exploit it without credential or prior access, potentially taking full control of the affected system.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Joomla Content Editor (JCE) extension to version 2.9.99.5 or later.
  • If upgrading is not immediately possible, disable or remove the JCE extension from the site to block the upload path.
  • If disabling is not an option, reconfigure the JCE plugin to restrict editor profile creation and file uploads to authenticated administrators only.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-16T00:00:00+00:00', 'dueDate': '2026-06-19T00:00:00+00:00'}

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
References

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomlacontenteditor.net
Joomlacontenteditor.net joomla Content Editor (jce) Extension For Joomla
Vendors & Products Joomlacontenteditor.net
Joomlacontenteditor.net joomla Content Editor (jce) Extension For Joomla

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
Title Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red'}

Subscriptions

Joomlacontenteditor.net Joomla Content Editor (jce) Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-20T11:56:48.886Z

Reserved: 2026-05-26T10:06:17.657Z

Link: CVE-2026-48907

cve-icon Vulnrichment

Updated: 2026-06-05T20:20:57.067Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T08:16:30.797

Modified: 2026-06-16T20:16:46.727

Link: CVE-2026-48907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses