The Joomla JCE editor is one of the most widely used extensions for content management on Joomla websites. That is why its current security issue is very serious. If you have an older version of JCE installed on your website, we recommend checking and updating it immediately.
According to the official announcement from the developer, version JCE 2.9.99.5 fixed a critical vulnerability that allowed unauthorized users to upload an editor profile to the website. This profile could then be abused to upload arbitrary files to the server. The vulnerability is registered as CVE-2026-48907 and, according to the NVD, may even lead to uploading and executing PHP code on the server.
Why this vulnerability is dangerous
The issue does not affect only websites that have user registration enabled. The vulnerability could be exploited without logging in. This means that an attacker did not need an administrator account or even a regular user account on the website.
The exploitation takes place through the JCE profile import function. An editor profile in JCE defines, among other things, permissions for working with files, allowed file extensions and upload options. If an attacker is able to create their own malicious profile, they may attempt to allow the upload of dangerous files, such as PHP scripts, and thereby gain control over the website.
Security analyses describe a scenario in which an attacker creates a fake editor profile without logging in and then abuses the profile permissions to upload and execute PHP code. The vulnerability is rated as critical.
2.9.99.6 on every site still on a vulnerable JCE
It is important not to install only version 2.9.99.5, but to upgrade directly to the latest available version of JCE, 2.9.99.6 or higher. Version 2.9.99.5 fixed the main critical vulnerability, but the subsequent version 2.9.99.6 introduced an additional security audit, restricted entry points and stricter input validation. The JCE developer explicitly marks version 2.9.99.6 as a strongly recommended update for all websites.
The official download page lists JCE 2.9.99.6 as the current version, updated on June 8, 2026, intended for Joomla 3.10, Joomla 4.x, Joomla 5.x and Joomla 6.x.
Focus mainly on the following points:
In the Joomla administration, check Components → JCE Editor → Editor Profiles. A profile is suspicious if you did not create it yourself, if it has a random or meaningless name, or if it is placed unusually high in the list of profiles.
Check the allowed file extensions in plugins such as Image Manager or File Browser. If a profile allows the upload of PHP files or other scripting files, this is a very serious warning sign.
Inspect the images, media and tmp directories. PHP files should not normally be present in these directories. If you find an unknown PHP file there, the website must be considered compromised.
In the access log, look for requests to:
index.php?option=com_jce&task=profiles.import
The official JCE recommendation lists this request as an important indicator of an attempted abuse of the profile import function.
What we recommend doing immediately
The safest approach is to update the JCE editor to the latest available version. At the time of writing, this is JCE 2.9.99.6.
In the Joomla administration, go to the extension updates section, check for available updates and update JCE. If the update is not offered, check whether the JCE update server is enabled. For the paid JCE Pro version, also verify that the license is valid and that the subscription key is configured correctly.
After the update, we recommend:
- checking the JCE profiles,
- checking for suspicious PHP files in the images, media and tmp directories,
- reviewing access logs,
- changing administrator passwords,
- changing the Joomla secret,
- running a server-side antivirus or malware scan,
- checking whether the website contains a webshell or any other backdoor.
What if the latest version of JCE cannot be installed
Some older websites run on outdated PHP or an old version of Joomla. According to the developer, JCE 2.9.99.6 requires PHP 7.4 and Joomla 3.10 or newer. If the website does not meet these requirements, this is not a secure long-term state. Old PHP and an old Joomla version mean additional unpatched security issues.
If JCE cannot be updated because of an outdated PHP version, we recommend one of the following options:
1. Update PHP and Joomla
This is the correct long-term solution. The website should run on a supported PHP version, a supported Joomla version and current versions of all extensions.
2. Uninstall the JCE editor
If you do not strictly need JCE on the website and it cannot be updated safely, we recommend uninstalling the editor. An unused or non-updatable extension is an unnecessary security risk.
3. Install RSFirewall! version 3.3.6 or higher
If the website cannot yet be updated for technical reasons, we recommend adding another protective layer in the form of RSFirewall!. The RSFirewall! changelog states that version 3.3.5 added protection against the JCE vulnerability affecting versions older than 2.9.99.5, and version 3.3.6 introduced further improvements in protection against JCE vulnerabilities affecting versions older than 2.9.99.6.
However, RSFirewall! should be treated as temporary protection, not as a replacement for an update. If the JCE extension itself is vulnerable, the best solution is still to update it or uninstall it.
Recommendation for Joomla website administrators
Check all Joomla websites you manage. It is not enough to inspect only active or frequently edited websites. Old company presentations, forgotten microsites, test installations and websites where JCE has not been used for a long time but remains installed are also at risk.
Minimum recommended procedure:
- verify whether JCE is installed,
- check its version,
- update to JCE 2.9.99.6 or higher,
- if the update is not possible, uninstall JCE,
- optionally deploy RSFirewall! 3.3.6 or higher as temporary protection,
- check logs and suspicious files.
The vulnerability in the JCE editor is not a minor, ordinary extension bug. It is a critical vulnerability that allowed unauthorized creation of an editor profile and could subsequently lead to uploading and executing PHP code on the server.
We recommend not waiting for another incident. If you use JCE on a Joomla website, update it to the latest version. If this is not possible because of old PHP or an old Joomla version, uninstall the editor or temporarily protect the website using RSFirewall! 3.3.6 or higher. At the same time, plan an update of the entire website to supported versions of PHP, Joomla and all extensions in use.