Attackers Are Exploiting JCE Editor to Plant PHP Webshells on Joomla Sites

If you run Joomla with the JCE (Joomla Content Editor) plugin installed, attackers are actively exploiting CVE-2026-48907 to upload PHP webshells to your site. The flaw is an improper access control vulnerability (CWE-284) that lets an unauthenticated attacker create a rogue editor profile and use it to plant executable files on the server. Widget Factory shipped the first fix on June 3, 2026, working exploit code is public, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 16, 2026 with a remediation due date of June 19.

Am I affected?

All JCE versions before 2.9.99.5 contain the vulnerability. Per Widget Factory’s advisory, that covers every site still running JCE 2.7.x, 2.8.x, or any 2.9.x release below 2.9.99.5.

JCE 2.6.x does not appear to be affected in a default configuration, per the vendor advisory. That finding has not been independently verified, and 2.6.x is unsupported with other unpatched issues likely present, so migration is still recommended.

One condition matters here that differs from most web application vulnerabilities: Widget Factory states explicitly that the attacks are automated and that a site with no public user registration is not safe. The attack targets the profile import path directly and does not require a registered guest account to exist.

What to do now

1. Update to JCE 2.9.99.6 immediately. Widget Factory released 2.9.99.5 on June 3, 2026 to close the entry point, then 2.9.99.6 on June 6, 2026 with additional hardening. The recommended version is 2.9.99.6. Requirements: PHP 7.4 and Joomla 3.10 or later.
2. If you cannot yet run PHP 7.4 and Joomla 3.10, apply the free patch. Widget Factory published a standalone patch for JCE 2.7.x, 2.8.x, and 2.9.x (below 2.9.99.5) at the same advisory URL. It closes the vulnerability without the hardening in 2.9.99.6 and is provided as-is. Treat it as a stopgap: end-of-life PHP or Joomla leaves you exposed on other issues, so plan to migrate.
3. Check for existing compromise before treating the site as clean. Patching closes the entry point; it does not remove anything an attacker planted before the patch. In the JCE Editor Profiles list (Components > JCE Editor > Editor Profiles), look for any profile you did not create. A rogue profile will often have a random, auto-generated name and may be sorted to the top of the list. In your web server access logs, look for unauthenticated POST requests to index.php?option=com_jce&task=profiles.import. The earliest such entry shows when the site was first reached. In your images, media, and tmp directories, look for PHP files you did not put there.
4. If you find signs of compromise, follow the remediation order. Keep a copy of any suspect profile and files before removing them. Update to 2.9.99.6 first to close the entry point. Delete the rogue profile and any files uploaded through it. Reset all administrator passwords, database credentials, and hosting or FTP credentials. Reset the same credentials on any other site where they were reused. Run a full server-side malware scan. If you need a clean baseline, restore from a backup taken before the first matching log entry.
5. The federal remediation due date is June 19, 2026. That applies to US federal agencies under BOD 26-04, but it is a sensible deadline for any organization.

How it is being exploited

The attack path is direct: an unauthenticated HTTP POST to index.php?option=com_jce&task=profiles.import creates an editor profile configured to allow PHP and other executable file uploads. A second request uploads a webshell, typically to the site’s images directory, which is the default upload path when no path is set in the profile. Widget Factory confirmed on June 3, 2026 that working exploit code is public and exploitation is automated.

CISA added CVE-2026-48907 to the KEV catalog on June 16, 2026, confirming in-the-wild exploitation. Known ransomware campaign use is listed as Unknown in the catalog at this time.

CVSS 4.0 base score is 10.0 (CRITICAL), vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A, as scored by Joomla’s security team at NVD. The “Attacked” exploit maturity tag (E:A) reflects confirmed active exploitation. EPSS was not yet scored for this CVE at time of publication; the NVD record was published June 5, 2026, and EPSS scores are updated periodically by FIRST.

How VulnMonitor helps

VulnMonitor keeps a live software inventory across your estate. When CISA added CVE-2026-48907 to the KEV catalog on June 16, VulnMonitor reconciled that entry against your inventory and ranked it by KEV status and severity. If any asset runs JCE below 2.9.99.6, that surfaces in your queue immediately rather than waiting for a scheduled scan. It does not remove a webshell or stop an ongoing attack; patching and post-compromise remediation are the required actions. Knowing which sites are exposed is the first step, and that question should not take hours to answer.

Updates

• 2026-06-17, 02:00 UTC Initial post. CVE-2026-48907 added to CISA KEV on June 16, 2026. CVSS 4.0 score 10.0 CRITICAL. Fixed in JCE 2.9.99.6; free patch available for 2.7.x/2.8.x/2.9.x at the Widget Factory advisory.