Detections
Analytics

Joomla! JCE < 2.9.99.5 Unrestricted File Upload

critical Web App Scanning Plugin ID 115270

Synopsis

Joomla! JCE < 2.9.99.5 Unrestricted File Upload

Description

Joomla! Content Editor (JCE) is a popular WYSIWYG editor for Joomla! websites. Versions prior to 2.9.99.5 contain a critical vulnerability that allows unauthenticated users to create new editor profiles, which can lead to unrestricted file upload and remote code execution.

Solution

Upgrade toJoomla! JCE version 2.9.99.5 or later.

See Also

https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites

Plugin Details

Severity: Critical

ID: 115270

Type: Check Based

Published: 6/23/2026

Updated: 6/23/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48907

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2026-48907

CVSS v4

Risk Factor: Critical

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2026-48907

Vulnerability Information

CPE: cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/18/2026

Vulnerability Publication Date: 6/4/2026

CISA Known Exploited Vulnerability Due Dates: 6/19/2026

Reference Information

CVE: CVE-2026-48907