CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)

CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE extension — one of the most widely installed third-party Joomla editors — that chains three weaknesses in the profile-import workflow: a missing authentication check on index.php?option=com_jce&task=profiles.import, absent file-extension validation, and disabled upload-safety controls (YesWeHack, 2026-06-16). An unauthenticated attacker imports a crafted editor profile that permits .php (or other executable) extensions for the Image Manager / File Browser plugin, then uploads a web shell that lands in images/ by default — yielding OS-level code execution as the web-server user. The vendor states the attacks are fully automated and that a site without a public registration form is not safe; any site that ran a JCE version before 2.9.99.5 should assume compromise and restore from a pre-breach backup after confirming the timeline from web logs (Widget Factory / JCE, 2026-06-03). CISA added it to the KEV catalog on 2026-06-16. Patched in JCE version 2.9.99.5 (2026-06-03), further hardened in 2.9.99.6 (2026-06-06). Detection: unauthenticated POSTs to profiles.import in web logs; unfamiliar auto-named profiles at the top of the JCE profile list with PHP uploads enabled; unexpected PHP files in images/, media/ or tmp/.

CVE Summary Table

Compact view of the actively-exploited / weaponised CVEs across this brief (full context in § 2 above and the § 4 updates).