CVE-2026-48907: Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5

Synopsis

This is an unauthenticated remote code execution vulnerability in the JCE (Joomla Content Editor) extension for Joomla, affecting all versions from 1.0.0 through 2.9.99.4. An attacker reachable over the network requires no credentials to exploit it: they create a new editor profile through an exposed endpoint and use it to upload and execute arbitrary PHP code on the server. Successful exploitation gives the attacker full control over the host, including reads, writes, and the ability to run operating-system commands. No fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the Joomla installation.

• AuthenticationNot required

  No account or session token is needed; the profile-creation endpoint is accessible to unauthenticated users.

• Victim interactionNot required

  The attacker operates entirely server-side; no user action or social-engineering step is required.

• Attack complexityDetail

  Exploitation is reliable and condition-free: no race condition, memory layout dependency, or environmental prerequisite is involved.

Blast Radius

• Attacker uploads and executes arbitrary PHP code, gaining a remote shell on the host running the Joomla application.
• Full read access to the application filesystem, including configuration files, database credentials, and stored user data.
• Full write access allows modification or deletion of site content, database records, and application files.
• Compromise extends to systems and services reachable from the host, as indicated by high scores across both vulnerable and subsequent system impact dimensions in the CVSS v4 vector.