Home · Live brief · Weekly 2026-W26
CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)
notable vulnerability discovered 2026-06-22 00:14 UTC
Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)
JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals. CVE-2026-48907 chains weaknesses in the profile-import workflow into unauthenticated PHP remote code execution, is rated CVSS 4.0 10.0, and was KEV-listed on 2026-06-16 (Widget Factory / JCE; YesWeHack; daily 06-17). Update to JCE 2.9.99.5 or later; the vendor also shipped a free patch for older sites.
“JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals.” — ctipilot v2 brief (migrated)