{"id":"CVE-2026-48907","details":"A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.","modified":"2026-07-15T06:10:01.649286Z","published":"2026-06-05T08:16:30.797Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907"},{"type":"WEB","url":"https://www.joomlacontenteditor.net/"},{"type":"ADVISORY","url":"https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/widgetfactory/jce","events":[{"introduced":"0"},{"fixed":"64f85d92524378dfe35cccad80eb255c1bbec1e6"}],"database_specific":{"cpe":"cpe:2.3:a:widgetfactorylimited:jce:*:*:*:*:*:joomla\\!:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.9.99.5"}],"source":"CPE_RANGE"}}],"versions":["2.9.99.4","2.9.99.3","2.9.99.2","2.9.99.1","2.9.99","2.9.98","2.9.97","2.9.96","2.9.95","2.9.94","2.9.93","2.9.92","2.9.91","2.9.90","2.9.84","2.9.83","2.9.82","2.9.81","2.9.80","2.9.79","2.9.78","2.9.77","2.9.76","2.9.75","2.9.74","2.9.73","2.9.72","2.9.71","2.9.70","2.9.63","2.9.62","2.9.61","2.9.60","2.9.59","2.9.58","2.9.57-beta","2.9.57","2.9.56","2.9.55","2.9.54","2.9.53","2.9.52","2.9.51","2.9.50","2.9.41","2.9.40","2.9.39","2.9.38","2.9.37","2.9.36","2.9.35","2.9.34","2.9.33","2.9.32","2.9.32-beta2","2.9.32-beta1","2.9.31","2.9.31-beta","2.9.30","2.9.30-beta","2.9.29","2.9.28-beta2","2.9.28","2.9.27","2.9.27-beta1","2.9.26","2.9.25","2.9.24","2.9.23","2.9.22","2.9.21","2.9.20","2.9.19","2.9.18","2.9.18-beta","2.9.17","2.9.16","2.9.15","2.9.14","2.9.12","delete","2.9.11","2.9.10","2.9.9","2.9.8","2.9.7","2.9.6","2.9.6-beta1","2.9.5-beta1","2.9.5","2.9.4","2.9.3","2.9.2","2.9.1","2.9.0","2.8.18","2.8.17","2.8.16","2.8.15","2.8.14","2.8.13","2.8.12","2.8.11","2.8.10","2.8.9","2.8.8","2.8.7","2.8.6","2.8.5","2.8.4","2.8.3","2.8.2","2.8.1","2.8.0","2.7.13","2.7.12","2.7.11","2.7.10","2.7.9","2.7.8","2.7.7","2.7.6","2.7.5","2.7.4","2.7.3","2.7.2","2.7.1","2.7.0","2.6.30","2.6.29","2.6.28","2.6.28-beta1","2.6.27","2.6.26","2.6.25","2.6.24","2.6.23","2.6.22","2.6.21","2.6.20","2.6.19","2.6.18","2.6.17","2.6.16","2.6.15","2.6.14","2.6.12","2.6.11","2.6.10","2.6.9","2.6.8","2.6.7.1","2.6.7","2.6.6","2.6.5","2.6.4","2.6.3","2.6.2","2.6.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}