CVSS 10.0 — The Maximum Possible Score
CVE-2026-48907 is a CVSS 10.0 vulnerability in the Joomla Content Editor (JCE) plugin — the maximum severity score that the Common Vulnerability Scoring System can assign. The flaw is an improper access control issue in JCE's profile import function. Attackers do not need credentials. By sending crafted requests to the import endpoint, they bypass security checks, create a new editor profile, upload malicious PHP files, and execute them remotely. The result is a persistent web shell — a backdoor on the server.
CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog on June 16, 2026, confirming active exploitation in the wild. Federal Civilian Executive Branch agencies have been ordered to patch by June 19 — a three-day window that reflects the severity. Security researcher Phil E. Taylor documented attackers importing rogue editor profiles and using them to drop web shells on Joomla servers running Linux.
The Plugin Problem — Again
JCE is a content editor plugin — it replaces Joomla's default text editor with a richer interface. Like WordPress's plugin ecosystem, Joomla's extension directory contains thousands of third-party add-ons that operate at the application level with full server access. A content editor plugin has no business reason to accept unauthenticated profile imports. But the functionality existed, the access control was broken, and attackers found it.
This mirrors the pattern seen across all legacy CMS platforms. WordPress's Kirki plugin (CVSS 9.8, 500K sites) had a broken password reset. WordPress's Breeze Cache (CVE-2026-3844) allowed unauthenticated file uploads. Drupal's database API (CVE-2026-9082, CVSS 9.8) had SQL injection. The specific vulnerability differs. The pattern is identical: third-party extensions with infrastructure-level access and insufficient security controls.
Joomla's Position in the Ecosystem
Joomla occupies a shrinking but still significant portion of the web. Among sites detected in WebPulse's scans, Joomla's share is small but its government and institutional footprint is disproportionately large. Government websites, educational institutions, and non-profit organizations adopted Joomla heavily between 2008 and 2015. Many of these installations still run, often with outdated extensions, and are maintained by teams with limited security expertise.
The Web Shell Endgame
A PHP web shell is not a temporary exploit — it is a persistent foothold. Once installed, the attacker can return at any time, execute arbitrary commands, access the database, pivot to other systems on the network, and install additional malware. Cleaning a web shell requires forensic analysis of the entire server, not just patching the plugin. Organizations running JCE should not only update to version 2.9.99.5 but should also audit their servers for existing web shells — the vulnerability was fixed June 3, but exploitation was active before the patch.
