Unauthenticated Profile Creation to PHP RCE in JCE Editor for Joomla

Repository contains a single Python exploit script and a README. The Python file is a multithreaded mass scanner/exploit for a claimed Joomla JCE unauthenticated RCE, labeled CVE-2026-48907. Its workflow is: normalize target URLs, fingerprint JCE-related files, probe a JCE endpoint, fetch the site root to extract a CSRF token, then attempt an import/upload/rename chain to place a PHP webshell. It uses several PHP payload variants, including minimal command-execution shells and GIF89a-prefixed payloads intended to bypass content-type or magic-byte checks. Successful exploitation is validated by actual PHP execution, and confirmed shell URLs are written to webshell.txt. The code is operational rather than a simple detector because it includes upload and execution payloads, concurrency support, output handling, and confirmation logic. The repository README is inconsistent with the code: it describes a different CVE and WordPress /wp-json behavior, suggesting the README is copied or unrelated. Based on the available code, the real purpose of the repository is Joomla/JCE webshell deployment and RCE verification across multiple targets.

This repository is a small educational exploit lab for CVE-2026-48907, an unauthenticated RCE affecting Joomla Content Editor (JCE) up to 2.9.99.4. The main exploit logic is in poc.py, a Python script using requests.Session to interact with a Joomla instance. It first fetches the site root to extract a CSRF token from page content, then submits a multipart POST to /index.php?option=com_jce with task=profiles.import and an uploaded file named like cve-2026-48907-XXXX.xml.php. The uploaded content is a minimal PHP payload (<?= 45*69 ?>). After a short delay, the script requests /tmp/<filename> and checks whether the server executed the PHP code, confirming RCE. The exploit capability is straightforward but real: unauthenticated remote upload through JCE profile import followed by direct execution from the Joomla tmp directory. The PoC does not provide an interactive shell or post-exploitation tooling; it is a verification exploit that demonstrates arbitrary PHP execution with a hardcoded payload. Repository structure is simple: README.md explains the vulnerability and usage; poc.py is the exploit; vulnerable/ and patched/ each contain a docker-compose.yaml and entrypoint.sh to build comparison labs. The vulnerable lab installs JCE 2.9.99.4, while the patched lab installs 2.9.99.5. Both labs expose Joomla on 127.0.0.1:9999 and use MariaDB as a backend. The entrypoint scripts are largely Joomla container setup logic, with the notable difference being the JCE package URL installed at the end. Overall, this is a legitimate operational PoC repository intended to validate whether a target Joomla/JCE deployment is exploitable under the specific condition that PHP execution from the web-accessible tmp/ directory is allowed.

Repository contains a single Python exploit script and a short README. The main file, CVE-2026-48907.py, is an operational mass scanner/exploit for an alleged unauthenticated RCE in Joomla's JCE component. It is not framework-based. The script accepts a target list, uses multithreading, normalizes targets to HTTPS if no scheme is provided, and scans each host for JCE indicators using several known component/plugin file paths. It then checks a JCE endpoint (/index.php?option=com_jce&task=cpanel.feed), retrieves a Joomla CSRF token from the homepage, and attempts to import a crafted JCE profile that enables permissive upload settings including php/gif file types, disabled MIME validation, and rename capability. After that, it tries multiple PHP webshell payload variants, including GIF89a-prefixed payloads for content-type or magic-byte bypasses, to achieve code execution. The exploit's stated goal is to save only confirmed RCE results, meaning it verifies that uploaded PHP actually executes before recording the resulting shell URL to webshell.txt. Overall, this is a real exploit-oriented mass exploitation tool rather than a detector: it fingerprints targets, modifies JCE configuration through profile import, uploads a webshell, and confirms arbitrary command execution over HTTP.