JCE Editor Ext. 2.9.99.4: Unauth. Profile Creation PHP Upload (CVE-2026-48907)
CVE-2026-48907 Published on June 5, 2026

Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

NVD

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-48907 has been classified to as an Authorization vulnerability or weakness.

Affected Versions

joomlacontenteditor.net Joomla Content Editor (JCE) extension for Joomla Version 1.0.0-2.9.99.4 is affected by CVE-2026-48907

Exploit Probability

EPSS

0.11%

Percentile

29.12%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

JCE Editor Ext. 2.9.99.4: Unauth. Profile Creation PHP Upload (CVE-2026-48907)CVE-2026-48907 Published on June 5, 2026

Weakness Type

What is an Authorization Vulnerability?

Affected Versions

Exploit Probability

JCE Editor Ext. 2.9.99.4: Unauth. Profile Creation PHP Upload (CVE-2026-48907)
CVE-2026-48907 Published on June 5, 2026