Cyber Resilience

CVE-2026-48907

CriticalCISA KEVActive ExploitationUpdated

Published: 05 June 2026

Published
05 June 2026
Modified
17 June 2026
KEV Added
16 June 2026
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
EPSS Score 0.8043 99.6th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-48907 is a critical-severity Improper Access Control (CWE-284) vulnerability in Widgetfactorylimited Jce. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the JCE editor extension for Joomla permits unauthenticated users to create new editor profiles, which can be abused to upload and execute arbitrary PHP code. The issue is tracked as CVE-2026-48907 with a CVSS 4.0 score of 10.0 and is classified under CWE-284 for improper access control. It affects sites using the JCE component and allows remote, unauthenticated exploitation without user interaction.

An attacker with network access can directly invoke the profile-creation functionality to bypass intended restrictions, resulting in full control over the affected Joomla installation through code execution. The CVSS vector confirms the attack requires no privileges or user interaction and impacts confidentiality, integrity Availability across both the vulnerable component and the broader system.

The vendor has published a security update along with a free patch for older sites, available from the JCE project site. Administrators are advised to apply the update promptly to prevent profile creation by unauthenticated users.

The EPSS score remains flat at 0.0685 with no observed rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

CWE(s)
KEV Date Added
16 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via public-facing Joomla web app component due to improper access control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

widgetfactorylimited
jce
≤ 2.9.99.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy to block unauthenticated creation of JCE editor profiles that lead to PHP upload.

prevent

Requires prompt application of the vendor patch that restores the missing access restriction on profile creation.

prevent

Limits privileges granted to editor-profile functionality so that even if reached it cannot perform arbitrary code upload.

References