CVE-2026-48907

Think of Joomla as your business website’s “front door,” and the joomlacontenteditor.net (JCE) extension as a special tool your site uses to edit content. This bug lets a stranger, without logging in, create new editor settings in a way that can end with malicious PHP code being uploaded and then executed by your server. In plain terms: someone may be able to take control of what your server does when it loads your site.

This matters to you if you use Joomla and specifically have the joomlacontenteditor.net Joomla Content Editor (JCE) extension installed on a Joomla version affected by this issue (Joomla < 2.9.99.5). If your website is publicly reachable and you use this extension, you’re in the group at risk because attackers can reach it without an account. This is not niche enterprise software—it’s commonly used as a website editor add-on, which is why small businesses can be affected.

This is a RED situation because the vulnerability is known to be exploited in the wild (CISA KEV) and press reports indicate real-world exploitation (“itw”) with rising attention. Even though a public exploit isn’t available and there’s no known scanner template, attackers are still finding ways to use it, so waiting increases your exposure. Act now to reduce the chance of compromise.

1. Update Joomla and the joomlacontenteditor.net (JCE) extension to the fixed versions your vendor recommends, specifically to address Joomla < 2.9.99.5. 2) If you can’t update immediately, ask your IT/admin to temporarily restrict or disable the JCE editor functionality until you patch. 3) Check your site for unexpected new editor profiles/configuration changes related to JCE and review server logs for suspicious uploads or PHP execution attempts.