ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)

notable vulnerability discovered 2026-06-22 00:14 UTC

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals. CVE-2026-48907 chains weaknesses in the profile-import workflow into unauthenticated PHP remote code execution, is rated CVSS 4.0 10.0, and was KEV-listed on 2026-06-16 (Widget Factory / JCE; YesWeHack; daily 06-17). Update to JCE 2.9.99.5 or later; the vendor also shipped a free patch for older sites.

“JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth rce cisa-kev global CVE-2026-48907