CVE-2026-48907 – Joomla Content Editor (JCE)
CVSS 9.8
CRITICAL
Critical or Zero Day – Immediate Deployment
“A content editor should manage content, not provide attackers a path to run code on the server.”
The Joomla Content Editor (JCE) extension for Joomla patched CVE-2026-48907, a Critical vulnerability that allows unauthenticated users to create new editor profiles and ultimately upload and execute PHP code. The CVSS score is 10.0, which is Critical severity.
Successful exploitation can lead to arbitrary code execution on the affected Joomla server, resulting in full compromise of the web application and potentially the underlying host. The vulnerability requires no authentication, significantly increasing the risk to exposed systems. Active exploitation has been reported.
Key Details
- Affected Product
- Widgetfactorylimited Jce
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-284
Patch this CVE on all your endpoints in under 5 minutes.
First 200 endpoints are free forever, scale as needed.