HTProtect.org
Independent information site on Joomla security vulnerabilities
DEEN
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

JCE (JoomlaContentEditor) – critical file upload, actively exploited

Critical Actively exploitedCVE: No specific CVE assigned
Act now
Update JCE to 2.9.99.5 (better 2.9.99.6) immediately – the flaw is being actively exploited.
Download the secure version Go to the update steps

Secure version: JCE 2.9.99.5 – better 2.9.99.6 · JCE Core free · Pro with account

At a glance

Affected extension
JCE Editor – Free & Pro, component com_jce
Vendor
JoomlaContentEditor
Type of flaw
Insufficient access control → unauthenticated upload of arbitrary files (via editor profiles)
Affected versions
All versions before 2.9.99.5 (Free and Pro)
Secure version
JCE 2.9.99.5 – better 2.9.99.6   Download
Severity
Critical · actively exploited
CVE
No specific CVE assigned
Joomla compatibility
Joomla 3 / 4 / 5 / 6
Status / published
Fix: 3 June 2026 · follow-up 2.9.99.6: 8 June 2026

What is this about?

JCE (JoomlaContentEditor) is one of the most widely used editors for Joomla. The vendor describes the cause as insufficient access control: unauthenticated users could upload editor profiles and through them place arbitrary files on the server.

Affected are all versions before 2.9.99.5 – both JCE Free and JCE Pro – and indeed regardless of whether public registration is enabled. The fix appeared on 3 June 2026 as 2.9.99.5; after a full security audit, version 2.9.99.6 followed on 8 June 2026.

The flaw is actively exploited: attackers install web shells through it. Since no login is required, sites without open registration are at risk too. Editor profiles with random names or a "Public" assignment are particularly suspicious. (Historically, JCE was already the target of large-scale attacks in 2011/2012 – CVE-2012-2902.)

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the JCE version

    Open ComponentsJCE Editor. The version number is shown there.

  3. Assess the version

    If the version is below 2.9.99.5, action is urgently needed.

  4. Review editor profiles

    Check the JCE editor profiles for unknown entries with random names or a Public assignment.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update JCE

    Select the JCE entry and click Update (target version 2.9.99.5 / 2.9.99.6).

  3. Verify the version

    Check under ComponentsJCE Editor that the new version is active.

Manual installation (alternative)
Alternatively, download the package from joomlacontenteditor.net and install it via ExtensionsManageInstall. Expired JCE Pro subscription? You can either switch to the free JCE Core or renew the subscription – all that matters is reaching at least 2.9.99.5.
Download the secure version

Official source: JCE Core free · Pro with account. Make sure you have at least JCE 2.9.99.5 – better 2.9.99.6.

Has the site already been attacked?

Actively exploited – check the site
Because the flaw is already abused for web shells, after updating you should specifically look for planted files and suspicious editor profiles. An update closes the hole but does not remove backdoors already placed – when in doubt, have it professionally cleaned and change passwords.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Back to all vulnerabilities
Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now