CVE-2026-48907
CRITICAL
CVSS 10.0
No EPSS data
Description
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-48907",
"cveTags": [],
"metrics": {
"cvssMetricV40": [
{
"type": "Secondary",
"source": "security@joomla.org",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 10,
"Automatable": "YES",
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red",
"exploitMaturity": "ATTACKED",
"providerUrgency": "RED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"vulnAvailabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-06-05T08:16:30.797",
"references": [
{
"url": "https://www.joomlacontenteditor.net/",
"source": "security@joomla.org"
}
],
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"type": "Primary",
"source": "security@joomla.org",
"description": [
{
"lang": "en",
"value": "CWE-284"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution."
}
],
"lastModified": "2026-06-05T16:05:36.550",
"sourceIdentifier": "security@joomla.org"
}
}