Introduction

NC4, (NACSA), has observed multiple attacks and incidents involving CVE-2026-48907, a critical improper access control vulnerability (CWE-284) in the Joomla Content Editor (JCE) extension for Joomla.

The flaw allows an unauthenticated, remote attacker to create rogue editor profiles and abuse the profile import function to upload and execute arbitrary PHP code, resulting in full pre-authentication remote code execution (RCE) on the affected web server.

Impact

Remote code execution: Successful exploitation grants full arbitrary PHP code execution on the affected web server.

Persistent backdoor: Attackers can drop a web shell, establishing persistent unauthorised access.

Full server compromise: Code execution can lead to data theft, defacement, lateral movement, and complete takeover of the hosting environment.

Confidentiality, integrity, and availability of the affected system and its hosted data are all potentially at risk.

Affected Product

Affected product: JCE Editor (Joomla Content Editor)
Affected versions: 1.0.0 through 2.9.99.4
Fixed versions: 2.9.99.5 and later
Recommended version: 2.9.99.9 or later
Risk level: Critical (CVSS 10.0)

Recommendation

Immediate (Patch)

Update JCE to version 2.9.99.6 (or at minimum 2.9.99.5) without delay on all Joomla installations.

For older deployments that cannot meet the requirements of 2.9.99.6 (PHP 7.4+), apply the vendor's free patch available for the JCE 2.7.x, 2.8.x, and 2.9.x branches. Note: the free patch fixes CVE-2026-48907 only and does not include the additional hardening of the latest release.

 

Hardening / Mitigation

Restrict web server access to the /tmp/ directory and prevent PHP execution in temporary/upload directories at the web server level.

Review all JCE editor profiles and remove executable extensions from permitted upload types — including .php, .pht, .phtml, .shtml, .php5, .php7, .phar, .inc — even for authenticated users.

Restrict upload destinations to directories outside the web root where possible.

Detection / Post-Compromise Forensics

Search web server access logs for suspicious POST requests to JCE upload paths (e.g. /index.php?option=com_jce&task=...).

Look for newly created or recently modified PHP files in Joomla media, upload, and /tmp/ directories.

Inspect upload and temporary directories for unexpected content (web shells).

Audit JCE editor profile configurations for unauthorised or unexpected profiles.

If compromise is confirmed, isolate the host, preserve evidence, and initiate incident response. Assume credential theft and lateral movement until proven otherwise.

Reporting

Malaysian NCII entities affected by this advisory are advised to report indicators or incidents to NC4 as per required under Act 854 for National coordination and intelligence sharing.

References

NVD — CVE-2026-48907    https://nvd.nist.gov/vuln/detail/CVE-2026-48907

CISA KEV addition (16 June 2026)    https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog

Vendor advisory (Joomla Content Editor)    https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites