Popular Keywords

Categories

No Record Found

View All Results

Joomla JCE CVE-2026-48907: Patch the KEV Editor Flaw

CISA added Joomla Content Editor CVE-2026-48907 to KEV. Update JCE Pro to 2.9.99.6 or later, apply the vendor patch package for older sites, and review Joomla for cleanup.
Joomla JCE CVE-2026-48907 patch checklist for updating JCE, applying the security patch package, checking editor profiles, and verifying the site

Joomla Content Editor CVE-2026-48907 is now in CISA’s Known Exploited Vulnerabilities catalog. CISA added the issue on June 16, 2026, with a federal due date of June 19, 2026. The official CVE record rates it critical and describes affected JCE versions before 2.9.99.5.

JCE is a common editor extension on Joomla sites, so this is a practical hosting and site-owner issue. If a Joomla site has JCE Pro installed, treat this as urgent maintenance: update, verify the editor configuration, review recently changed files and users, then confirm the public site and administrator area still work as expected.

This is a protect-only guide. It does not include exploit steps, request details, scanner material, or low-level indicators that would help someone target a Joomla site.

What is affected

The CVE record lists the Joomla Content Editor extension for Joomla, from version 1.0.0 through 2.9.99.4, as affected. JCE’s own security update says JCE Pro versions before 2.9.99.5 are affected.

  • Joomla sites running JCE Pro before 2.9.99.5.
  • Older JCE 2.7.x, 2.8.x, and 2.9.x sites that cannot immediately move to the newest JCE release.
  • Shared-hosting and agency-managed Joomla sites where extensions are updated manually or through a maintenance contract.
  • Sites with administrator accounts, file uploads, media folders, or editor profiles that have not been reviewed recently.

What to install

JCE’s current recommendation is to update to JCE Pro 2.9.99.6 or later. Version 2.9.99.5 fixed the critical issue, and 2.9.99.6 added additional hardening after a code review.

JCE says 2.9.99.6 requires PHP 7.4 and Joomla 3.10 or later. For sites that cannot meet that requirement yet, JCE provides a free security patch package for JCE 2.7.x, 2.8.x, and 2.9.x. Treat that as a temporary patch path; it closes the vulnerability, but it is not the same as moving to the newest hardened release.

What to do now

  1. Inventory Joomla sites. Include production, staging, old microsites, client portals, and forgotten subdomain installs.
  2. Check the installed JCE version. Confirm whether the site is already on 2.9.99.6 or later, on 2.9.99.5, or still on an affected older version.
  3. Back up first. Save the Joomla files, database, configuration, extension list, and a rollback note before changing editor components.
  4. Update JCE Pro where possible. Use the Joomla updater or the vendor download area for the current fixed release.
  5. Use the vendor patch package for older sites. If the site cannot meet the newer PHP/Joomla requirement, apply JCE’s security patch package while planning the larger Joomla/PHP upgrade.
  6. Review editor profiles and media handling. Remove unexpected editor profiles, unexpected upload permissions, and stale administrator access.
  7. Look for suspicious site changes. Review recent file changes, unknown extensions, unknown administrator users, modified templates, unusual scheduled tasks, and unexpected executable files.
  8. Rotate credentials if exposure is plausible. Include Joomla administrators, hosting control-panel users, SFTP/SSH users, database users, and connected service keys after the site is clean.
  9. Verify the site after maintenance. Test public pages, administrator login, editing, media upload behavior, forms, cache, backups, and error logs.

Hosting and agency notes

If you manage many Joomla sites, start with internet-facing sites, sites that allow content editing by more than one person, sites with older PHP, and sites where extension updates are not automatic. Track which sites were updated to the hardened release and which sites only received the temporary patch package.

For hosting providers, this is also a customer-communication item. Let Joomla customers know that editor extensions need the same urgency as core CMS updates, and that cleanup may be necessary if a vulnerable version was exposed before patching.

Post-update verification checklist

  • JCE Pro reports 2.9.99.6 or later, or the vendor security patch package is documented for an older site.
  • Joomla core, PHP version, templates, and other extensions are compatible after the update.
  • Editor profiles, media permissions, administrator users, and extension lists have been reviewed.
  • No unexpected executable files, unknown extensions, or unexplained template changes remain.
  • Backups, public pages, administrator login, editing, uploads, forms, and cache all work after maintenance.
  • Credential rotation is complete where compromise is suspected or cannot be ruled out.

Related Fix I.T. Phill reading

Sources

Need help patching a Joomla site, checking whether a JCE install was exposed, or planning a safe Joomla/PHP upgrade path? Fix I.T. Phill can help update the site, review the cleanup checklist, and verify the public site afterward.

Picture of admin

admin

Leave a Reply

About Us

Fix I.T. Phill is a site dedicated to sharing knowledge freely to the public.  Use our Contact Us Form to submit new requests for tutorials that we will get up and ready for you ASAP!

Recent Posts

Follow Us

Twitch Twitter

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.