Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN645 _____________________________________________________________________ DATE : 18/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running JCE versions prior to 2.9.99.7. ===================================================================== https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites https://www.joomlacontenteditor.net/news/jce-pro-2-9-99-7-released _____________________________________________________________________ JCE security update, and a free patch for older sites Details Created: 12 June 2026 On 3 June 2026 I released JCE 2.9.99.5 to patch a critical vulnerability in all earlier versions, followed on Monday 6 June 2026 by 2.9.99.6, which added hardening on top. JCE Pro 2.9.99.6 is the recommended version for every site. If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe. One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind. Checking your site The attack works by getting an editor profile onto your site that permits uploading executable files, then using it to upload one. What to look for: In Components -> JCE Editor -> Editor Profiles: An editor profile you did not create. It will usually have a meaningless, automatically generated name, and may be ordered so it sits at the top of your profile list. A profile set to allow PHP or other script files to be uploaded. This will be set in the Permitted File Extensions parameter for a plugin, eg: Image Manager or File Browser A front-end editor that has lost its normal toolbar and shows only a stripped-down, single-button or no button version. On its own this is a hint rather than proof, but alongside an unfamiliar profile it is a strong sign. The reliable confirmation is in your web server access logs, which you can usually find in your hosting control panel, or request from your host. Look for unauthenticated requests to the profile import task, index.php?option=com_jce&task=profiles.import. The earliest matching entry shows when the site was first reached, so restore from a backup taken before that date. Get hold of them sooner rather than later, as many hosts keep logs only briefly, and once they have rotated away there may be no record left. A site can still be compromised even when the logs no longer show it. Suspicious Files Be wary of any PHP file in your images, media or tmp folders that you did not put there. Those folders should not normally contain PHP files, or files with php in the file name, eg: foo.php.xml. When a profile sets no upload path, the default location is the images folder, so start there. If you are not confident judging this by eye, the free audit below will do it for you. For a fuller technical breakdown and a complete list of indicators, Phil Taylor of mysites.guru has published a detailed independent analysis. If you find something Assume the site is compromised and work through it in this order: Before you delete or change anything, keep a copy of the suspect profile and any suspect files. If you later need to work out when the site was breached, or hand it to someone for help, you will want them. Update to JCE 2.9.99.6 or later first. Closing the entry point comes before cleaning up, because until the site is patched the same automated attack can simply reinstate everything you remove. Delete the rogue profile. In Components -> JCE Editor -> Editor Profiles, tick only the profile or profiles you did not create, using the signs described earlier, then click Delete. Leave the profiles you set up yourself alone. Then delete every file uploaded through it, checking the locations listed under Suspicious Files above. Change your passwords including your administrator logins, your database, and your hosting or FTP access. Change the same on any other site where you have reused them. Run a full server-side malware scan to confirm nothing else was planted. Your host may provide one, many run Imunify or similar, or can run one for you on request. If you would rather not do this by hand, or you manage several sites, mysites.guru offers a free audit that scans the whole site, including files outside the public web root, and flags rogue JCE profiles and anything uploaded through them. For sites that cannot update 2.9.99.6 needs PHP 7.4 and Joomla 3.10 or later. For sites not yet able to meet that, a free patch package patches the vulnerability in JCE 2.7.x, 2.8.x and 2.9.x. JCE 2.6.x does not appear to be affected in a default configuration. The unauthenticated profile import path is blocked, and no guest-accessible profile exists by default. This has not yet been independently verified. 2.6.x is unsupported and may contain other unpatched issues, so please still plan to migrate. Please note before using the patch: It closes the vulnerability only, without the additional 2.9.99.6 hardening. It is provided as-is, with no warranty, for sites that genuinely cannot update. It does not clean an already-compromised site. Work through the checks above regardless. It is a stopgap. End-of-life PHP or Joomla leaves you exposed to other unpatched issues, so please plan to move to a supported platform. Back up and test on a copy first. Download the Patch Package If you have any questions please post on the forum. _____________________________________________________________________ JCE Pro 2.9.99.7 released Details Created: 18 June 2026 This release continues the security work of the previous versions and fixes the upload problems some sites saw after 2.9.99.6. Highlights: Fixes false positive PHP tag detection that was blocking legitimate image and file uploads after 2.9.99.6. Further hardening across the upload pipeline and profile import, continuing the defence in depth approach. JCE can now be installed on Joomla 3.9 and later. PHP 7.4 or later is still required. A new Permitted User Groups option is available in the Security tab in the Component parameters. (Components -> JCE Editor -> Control Panel, then click the Options button) Whitelist the groups eligible for profile assignment and import, and anything outside it is ignored. This guards against over-permissive groups slipping in, for example when importing a profile from another site, or another admin adding a group to a profile that should not be there. Empty and inactive by default, so existing sites are unaffected unless you configure it. Configure a Permitted User Group whitelist for all Editor Profiles We recommend all users update. Update fatigue is real. Whether you run one site or many, services like BackupMonkey and MySites.guru help you keep on top of updates and apply them across everything you manage. The underlying vulnerability, CVE-2026-48907, was patched in 2.9.99.5, with additional security hardening in 2.9.99.6, and this release builds on that work. If you have not yet updated, or you need to check a site for compromise, read JCE security update, and a free patch for older sites. Please Note: JCE Pro 2.9.99.x is compatible with Joomla 3, 4, 5 and 6, and does not require the Backwards Compatibility plugin in Joomla 5 or Joomla 6. A changelog for this release is available to view here Thank you to everyone who submitted bug reports and tested development versions. If you find any more issues please submit a ticket in the forum or on github. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================