CVE-2026-48907
Published: 05 June 2026
Summary
CVE-2026-48907 is a critical-severity Improper Access Control (CWE-284) vulnerability in Widgetfactorylimited Jce. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the JCE editor extension for Joomla permits unauthenticated users to create new editor profiles, which can be abused to upload and execute arbitrary PHP code. The issue is tracked as CVE-2026-48907 with a CVSS 4.0 score of 10.0 and is classified under CWE-284 for improper access control. It affects sites using the JCE component and allows remote, unauthenticated exploitation without user interaction.
An attacker with network access can directly invoke the profile-creation functionality to bypass intended restrictions, resulting in full control over the affected Joomla installation through code execution. The CVSS vector confirms the attack requires no privileges or user interaction and impacts confidentiality, integrity Availability across both the vulnerable component and the broader system.
The vendor has published a security update along with a free patch for older sites, available from the JCE project site. Administrators are advised to apply the update promptly to prevent profile creation by unauthenticated users.
The EPSS score remains flat at 0.0685 with no observed rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34789
Vulnerability details
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
- CWE(s)
- KEV Date Added
- 16 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via public-facing Joomla web app component due to improper access control.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy to block unauthenticated creation of JCE editor profiles that lead to PHP upload.
Requires prompt application of the vendor patch that restores the missing access restriction on profile creation.
Limits privileges granted to editor-profile functionality so that even if reached it cannot perform arbitrary code upload.