A critical vulnerability, "CVE-2026-48907," has been discovered in the Joomla Content Editor (JCE), the popular WYSIWYG editor for Joomla CMS. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that this vulnerability is already being exploited and urges immediate patching. If exploited, an unauthenticated attacker could upload and execute PHP code, potentially gaining full control of the website.
Vulnerability Overview and Scope of Impact
The newly disclosed "CVE-2026-48907" is an "Improper Access Control" vulnerability present in Joomla Content Editor (JCE) versions 1.0.0 through 2.9.99.4, provided by Widget Factory. It has been rated with a maximum CVSS score of 10.0. This vulnerability allows unauthenticated users to create new editor profiles, through which they can upload malicious PHP code and execute it on the server.
If this vulnerability is exploited, attackers can achieve full compromise of a Joomla site. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Specific Impact and Attack Scenario
Attackers exploit the improper access control in the JCE editor to use the editor profile import function (`index.php?option=com_jce&task=profiles.import`) without authentication. This allows them to upload a new profile containing malicious PHP code and execute it. If successful, a webshell is dropped, granting the attacker persistent backdoor access to the server, enabling them to perform various operations such as stealing database information, tampering with site content, and even executing system commands.
Immediate Actions for Engineers
The most crucial action is to immediately update Joomla Content Editor (JCE) to **version 2.9.99.5 or later**. This version addresses the vulnerability. If updating is difficult, consider the following mitigation measures. Furthermore, even after updating, you should audit server logs and check for suspicious files, considering the possibility that your system may have already been compromised.
It is recommended to add rules to your web server configuration (if using Apache `.htaccess`) to block unauthenticated access to the JCE profile import function. This can temporarily prevent exploitation of the vulnerable endpoint.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/index\.php$
RewriteCond %{QUERY_STRING} option=com_jce&task=profiles\.import [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
# 悪意のあるPHPファイルがアップロードされる可能性のあるディレクトリへの直接アクセスを禁止する例 (JCEのアップロードパスに応じて調整)
<Directory /path/to/your/joomla/images/stories>
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|cgi|pl|py|jsp|asp|aspx|sh|bash|exe|bin|dll|rb|perl)$">
Require all denied
</FilesMatch>
</Directory>
<Directory /path/to/your/joomla/media>
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|cgi|pl|py|jsp|asp|aspx|sh|bash|exe|bin|dll|rb|perl)$">
Require all denied
</FilesMatch>
</Directory>Additionally, carefully monitor your web server access logs for any unauthenticated requests to `index.php?option=com_jce&task=profiles.import`.
📦