EUVD-2026-34789
GHSA-c3f5-4g7f-qjqj
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Lifecycle Timeline
3DescriptionNVD
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
AnalysisAI
Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target Joomla site has the JCE (Joomla Content Editor) third-party extension installed and reachable over HTTP/HTTPS - the vulnerability is in the extension itself, so a vanilla Joomla install without JCE is unaffected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point in the same direction: critical, broadly exploitable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the public internet for Joomla sites running the JCE extension, then sends a crafted unauthenticated request to the vulnerable profile-creation endpoint to provision a new editor profile that permits PHP file uploads. They then use JCE's own file manager to upload a PHP webshell and request it from the web root, gaining arbitrary code execution as the webserver user and full control of the underlying Joomla host. … |
| Remediation | Patch available per vendor advisory: upgrade the JCE extension to the latest release available from https://www.joomlacontenteditor.net/ as the primary fix, since an exact fixed version number was not provided in the supplied data and must be confirmed against the vendor's release notes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Joomla instances with JCE extension active; immediately disable or uninstall JCE if operationally feasible, or restrict network access to Joomla administrative interfaces. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C
Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to rem
Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated atta
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated re
Share
External POC / Exploit Code
Leaving vuln.today