JCE security vulnerability: update Joomla now (2.9.99.5)

The JCE Editor (Joomla Content Editor) is by far the most widely installed editor extension for Joomla - and that is exactly what makes the newly disclosed JCE security vulnerability so critical. On June 3, 2026, JCE 2.9.99.5 was released as a critical security update that closes a flaw through which unauthenticated attackers can upload arbitrary files to the server.

Affected are all versions of JCE Free and JCE Pro before 2.9.99.5 - regardless of whether registration is possible on your Joomla site at all. As soon as JCE is installed, the site is vulnerable. Anyone operating or maintaining Joomla websites should not postpone this JCE update, but install it now.

Contents

What is the JCE security vulnerability in 2.9.99.5?

The vendor describes the vulnerability as follows: "Insufficient access controls permitted unauthenticated users to upload editor profiles." In other words: insufficient access controls allowed not logged in visitors to upload editor profiles. According to the release announcement, this can be abused to write arbitrary files to the server - a classic JCE arbitrary file upload.

You only understand why this is so dangerous once you know what an editor profile in JCE actually controls.

What a JCE editor profile controls

JCE uses so-called Editor Profiles. With these, an administrator defines which editor functions are available to which user group. A profile determines, among other things:

• which toolbar buttons are visible
• which file types may be uploaded
• which directories the editor may browse and write to
• which advanced features (e.g. code view, templates) are enabled

An editor profile is therefore effectively a set of file and upload permissions. Whoever controls the profile controls which file operations JCE performs. This is exactly where the JCE vulnerability comes in: if an anonymous attacker could upload their own profile, they could define a profile that first allowed the desired upload - and then exploit it.

The technical cause: a CSRF token is not proof of authorization

The affected controllers did check the CSRF token, but not whether the requesting user was actually authorized. That is the crucial logic error: Joomla also creates a session with a valid token for anonymous visitors. A valid token therefore only proves that the request came from a real session - not that an authorized user is behind it.

The fix ("Update authorisation checks across all controllers") therefore adds real permission checks via $user->authorise('core.manage', 'com_jce') in the controllers profiles.php (import, export, copy, delete), editor.php, profile.php and cpanel.php. In addition, in editor.php the methods callable via the $task parameter are restricted to a whitelist (loadlanguages, pack) instead of allowing arbitrary methods.

Am I affected? These JCE versions are vulnerable

Short and clear: All versions of JCE Free AND JCE Pro before 2.9.99.5 are affected. It does not matter whether your Joomla site allows public registration - because the vulnerability can be exploited without login, every Joomla installation with JCE is affected.

How to check your installed version:

1. Log in to the Joomla backend
2. Go to Components - JCE Editor
3. Check the version number displayed

If it shows a version lower than 2.9.99.5, immediate action is needed.

What can happen if I do not update?

In the worst case, an attacker uses the vulnerability to upload an executable file (e.g. a PHP file disguised as an image) into an accessible directory and thereby gains a web shell - permanent remote access to the server. A security flaw then becomes a full compromise that can no longer be fixed by an update, but requires complete cleanup.

JCE has an unfortunate history here: as early as 2011/2012, an upload vulnerability in JCE (CVE-2012-2902) was massively exploited by automated bots for years. The pattern is always the same - a known vulnerability meets thousands of installations that were never updated. Do not wait until scanners pick up this vulnerability too - you do not want to be the site still running a vulnerable JCE in six months.

The previous JCE vulnerability (2.9.99.4 from May 28, 2026)

2.9.99.5 is already the second JCE security update within a week - but not a patch for an incomplete fix. It is a different, significantly more critical vulnerability. For context, here is the previous version:

With JCE 2.9.99.4 (May 28, 2026), two vulnerabilities were fixed, each requiring a logged-in Joomla user (not necessarily an administrator):

1. Access to an editor profile that was not assigned to the user at all, and through it file system actions.
2. Directory traversal in the file system search function, which made it possible to list folder contents outside the configured directory.

This also affected JCE Free and JCE Pro. The crucial difference: 2.9.99.4 could only be exploited with a login, while 2.9.99.5 can be exploited without one. That is exactly what shifts the current vulnerability from "patch this week" to "patch now".

JCE and Joomla compatibility (3, 4, 5 and 6)

The good news: the 2.9.99.x branch of JCE Pro is compatible with Joomla 3, 4, 5 and 6. For Joomla 5 and 6, no backwards compatibility plugin is required. The update can therefore be installed without issue on practically any maintained Joomla installation - via the Joomla updater or by manual download.

How to recognize a possible compromise

Unlike the authenticated vulnerabilities in 2.9.99.4, this vulnerability leaves a trace that can be specifically searched for - because the malicious request does not require valid login credentials. On higher-risk sites, a retrospective check is worthwhile:

• Check the server logs from the past few weeks for requests to the JCE profile and file system endpoints (upload or import) that came without a Joomla session cookie.
• Check the directories images/, media/ and your own upload folders for files you did not create yourself - especially anything with a script extension or a suspicious timestamp.
• Look for unknown admin users, modified template files, and unusual redirects or spam pages in the Google index.

Important: A successfully installed update does not automatically mean the site is clean. If there are signs of an attack, it must also be checked and, if necessary, cleaned.

Not sure whether your Joomla website is affected? We will check it for you free of charge. Also take a look at our immediate help for hacked Joomla sites.

FAQ about the JCE Editor security vulnerability in Joomla

Am I affected?

If your Joomla site has JCE installed in a version earlier than 2.9.99.5: yes. Because the vulnerability can be exploited without logging in, every Joomla installation with JCE is affected - regardless of the registration settings.

Is only JCE Pro affected?

No. JCE Free and JCE Pro are affected equally. Both editions receive the same fix in version 2.9.99.5.

What can happen if I do not update?

In the worst case, an attacker uploads an executable file and installs a web shell with persistent access. Then an update is no longer enough - the site must be cleaned up completely.

How do I update JCE?

Check for updates in the Joomla backend under System - Update - Extensions and update JCE. For JCE Pro, a valid subscription key must be entered. Alternatively, download the package manually from the official download area and install it.

What if my JCE Pro subscription has expired?

Then you will no longer receive updates via the Pro channel. You have two safe options: either install the free JCE Core (Free) over your Pro version - it is also patched to 2.9.99.5, but you will lose the Pro features - or renew the subscription and update normally. Simply continuing to run the unpatched Pro version is not an option, because the vulnerability would otherwise remain open.

How do I check whether my site has already been attacked?

The clearest clue is in the editor profiles: Open Components - JCE Editor - Editor Profiles. The default profiles Default, Front End, Blogger, Mobile and Markdown are harmless. If you find a profile with a cryptic random name there instead (for example xs94da) or one assigned to the user group Public, the site is considered hacked. Also check the server logs from the past few weeks for upload and import requests without a login, as well as the images/, media/ and custom upload directories for planted files, especially those with a script extension. If in doubt, have the site professionally checked before deleting profiles or files.

Sources and further information

• mySites.guru - Detailed analysis of the vulnerability (Free + Pro confirmed)
• Joomla Content Editor - Official release announcement
• Joomla Content Editor - Official changelog
• db8.nl - Summary of the 2.9.99.4 vulnerabilities
• GitHub (widgetfactory/jce) - Free/Core version also patched

The vulnerability was reported by Uwe Flottemesch (fc-hosting.de), with support from David Jardin (Joomla Security Strike Team).

Did this article help you? If you have questions, would like to add something, or have spotted an error - please feel free to write it in the comments.

Comments

# Bjorn 2026-06-03 20:20

Thanks for the quick info!

Reply

# Renate 2026-06-03 22:49

Your email came at just the right time because we were already looking for new support anyway. Thanks for the quick response - we look forward to working together. Now we're curious to see whether the Security Flat Rate delivers what it promises.

Reply

Refresh comments list

Add comment

• Next