Unauthenticated RCE in Joomla Content Editor (JCE) Profile Import

Repository contains a small exploit PoC set for an unauthenticated Joomla JCE file-upload-to-RCE issue labeled CVE-2026-48907. There are 5 files total: one Python exploit script, one Nuclei template, a README, license, and .gitignore. The Python script is the main operational exploit: it accepts either a single URL or a file of targets, reads an operator-supplied local payload file, fetches the target homepage to extract a CSRF token, submits a multipart POST to `/index.php?option=com_jce` with `task=profiles.import`, uploads the payload as a randomly named `.xml.php` file, and then requests `/tmp/<filename>` to confirm successful upload and likely code execution. This makes it a real exploit rather than a detector, because it performs the upload and can deliver arbitrary PHP content. The Nuclei YAML is a framework-based verification template that follows the same three-step flow: GET `/` to extract `csrf.token`, POST the upload with a fixed PHP expression payload, then GET `/tmp/{{tmp_file}}` and match on output `3105`. Because the repository includes a Nuclei template, it belongs to a framework, but the repo also includes standalone exploit code. The exploit capability is arbitrary unauthenticated file upload leading to remote code execution on vulnerable JCE installations. Fingerprintable targets are the Joomla root page, the JCE import endpoint `/index.php?option=com_jce`, and the uploaded file path under `/tmp/`. The README largely documents usage and provides example PHP payloads such as a command web shell and eval backdoor, reinforcing that the intended post-exploitation result is attacker-controlled PHP execution.

The repository contains a single Python exploit script, ssi4.py, presented as an all-in-one exploit for CVE-2026-48907 affecting Joomla/JCE. It is not part of a larger framework. The script is operational rather than a simple PoC: it supports single-target or bulk-target processing, URL normalization and extraction from files/stdin, multithreaded execution via ThreadPoolExecutor, colored console output, result logging, and multiple exploitation modes. Core purpose: identify Joomla sites with JCE-related components, probe likely vulnerable endpoints, obtain CSRF-style tokens from several front-end and administrator paths, attempt exploitation through JCE task endpoints, and write a server-side shell into common writable web directories. It then verifies successful code execution and records either full RCE or file-write-only outcomes. Notable exploit capabilities inferred from the code: - Fingerprinting JCE presence using known static paths such as /plugins/editors/jce/jce.xml and /administrator/components/com_jce/jce.xml. - Probing JCE application endpoints including /index.php?option=com_jce&task=cpanel and /index.php?option=com_jce&task=profiles.import. - Collecting CSRF tokens from multiple public/admin pages using regex patterns for csrf.token and hidden input fields. - Trying alternate headers (X-Forwarded-For and X-Real-IP set to 127.0.0.1) to work around simple WAF or access controls. - Dropping either a PHP webshell or an SSI-based shell into tmp/, cache/, or administrator/cache/ using various executable extensions (.php, .phtml, .php3, .php7, .php5, .phar, .pht) and .shtml for SSI. - Verifying command execution using id and regex matching for uid=... gid=... output. - Distinguishing between successful RCE and write-only conditions, then saving results to output files. Payload details: - The PHP payload is a minimal passthru-based webshell that executes commands supplied via cmd and uses id for validation. - The SSI payload is an HTML/SSI command terminal labeled 'SSInjection Terminal' that executes commands from the query string and renders output in a styled browser interface. Repository structure is minimal: one standalone Python file with helper routines for target loading, URL parsing, WAF heuristics, version/patch checks, payload generation, scanning/exploitation orchestration, and a main() entry point. Overall, this is a bulk-capable web exploitation tool aimed at turning a JCE file-write/RCE condition into persistent webshell access.

This repository is a small, single-purpose exploit PoC for CVE-2026-48907 affecting the JCE editor extension for Joomla. It contains two files: a README describing the vulnerability at a high level and a Python script, poc.py, which performs the exploit flow. The script is the main entry point and uses the requests Session API to maintain cookies across requests. Operationally, the exploit takes one argument: a target base URL. It then reads a local PHP payload file named alfa.php from the current directory. Next, it sends a GET request to the target root path to scrape a CSRF token using one of two regex patterns. With that token, it submits a multipart POST request to /index.php?option=com_jce with task=profiles.import and uploads the local alfa.php content as profile_file. After a short delay, it attempts to access /tmp/alfa.php on the target to verify upload success and trigger execution. The exploit’s main capability is unauthenticated arbitrary PHP upload followed by remote execution, assuming the vulnerable JCE import functionality is exposed and the uploaded file lands in a web-accessible, executable temporary directory. This is more than a pure detector because it actively uploads and executes attacker-controlled code. The payload itself is not embedded in the repository; instead, the operator supplies it via alfa.php, making the exploit operational but basic rather than framework-grade. There are no external C2 servers, hardcoded IPs, or third-party network services referenced beyond the operator-supplied target URL and the target-local Joomla/JCE endpoints.

This repository is a collection of multiple independent CVE-2026-48907 PoCs targeting unauthenticated remote code execution in the Joomla JCE component, rather than a single cohesive exploit project. It contains three Python exploit/scanner variants and one educational lab-oriented PoC with Docker environments. The main exploit capability across the Python scripts is consistent: fingerprint JCE by requesting known plugin/component files, fetch a CSRF token from the public Joomla homepage, abuse the unauthenticated JCE profile import feature at /index.php?option=com_jce to loosen upload restrictions or stage attacker-controlled content, upload a PHP payload through JCE browser/plugin RPC or via profile import staging, and finally verify code execution by requesting the uploaded file over HTTP. Successful exploitation yields a reachable PHP webshell URL and arbitrary command execution via HTTP parameters. The 0xBlackash sample is a straightforward mass scanner/uploader that writes confirmed shells to webshell.txt. The 87achrafg-stack and webshellseo8 variants are more feature-rich OPERATIONAL scanners with multiple payload encodings, GIF-header bypass attempts, extra JCE checks, and in one case a custom upload-capable PHP shell. The ywh-jfellus subtree is more educational and self-contained. It includes poc.py plus vulnerable/ and patched/ Docker Compose labs. That PoC demonstrates a slightly different exploitation path: the imported profile file is staged into Joomla's web-accessible tmp/ directory as an .xml.php file, then fetched from /tmp/ to confirm PHP execution. The lab binds Joomla to 127.0.0.1:9999 and installs either JCE 2.9.99.4 (vulnerable) or 2.9.99.5 (patched) via GitHub release ZIP URLs in custom entrypoint scripts. Notable repository quality observations: one README (87achrafg-stack) appears mismatched and describes a different WordPress-related CVE, but the Python file itself still targets JCE/Joomla. Despite some truncation in the provided content, the available code clearly implements real exploitation logic rather than mere detection. Overall, this is an exploit repository with mass-scanning and webshell-deployment functionality for CVE-2026-48907, plus a reproducible local lab for validation and patch comparison.

Repository contains a single Python exploit script and a README. The Python file is a multithreaded mass scanner/exploit for a claimed Joomla JCE unauthenticated RCE, labeled CVE-2026-48907. Its workflow is: normalize target URLs, fingerprint JCE-related files, probe a JCE endpoint, fetch the site root to extract a CSRF token, then attempt an import/upload/rename chain to place a PHP webshell. It uses several PHP payload variants, including minimal command-execution shells and GIF89a-prefixed payloads intended to bypass content-type or magic-byte checks. Successful exploitation is validated by actual PHP execution, and confirmed shell URLs are written to webshell.txt. The code is operational rather than a simple detector because it includes upload and execution payloads, concurrency support, output handling, and confirmation logic. The repository README is inconsistent with the code: it describes a different CVE and WordPress /wp-json behavior, suggesting the README is copied or unrelated. Based on the available code, the real purpose of the repository is Joomla/JCE webshell deployment and RCE verification across multiple targets.

This repository is a small educational exploit lab for CVE-2026-48907, an unauthenticated RCE affecting Joomla Content Editor (JCE) up to 2.9.99.4. The main exploit logic is in poc.py, a Python script using requests.Session to interact with a Joomla instance. It first fetches the site root to extract a CSRF token from page content, then submits a multipart POST to /index.php?option=com_jce with task=profiles.import and an uploaded file named like cve-2026-48907-XXXX.xml.php. The uploaded content is a minimal PHP payload (<?= 45*69 ?>). After a short delay, the script requests /tmp/<filename> and checks whether the server executed the PHP code, confirming RCE. The exploit capability is straightforward but real: unauthenticated remote upload through JCE profile import followed by direct execution from the Joomla tmp directory. The PoC does not provide an interactive shell or post-exploitation tooling; it is a verification exploit that demonstrates arbitrary PHP execution with a hardcoded payload. Repository structure is simple: README.md explains the vulnerability and usage; poc.py is the exploit; vulnerable/ and patched/ each contain a docker-compose.yaml and entrypoint.sh to build comparison labs. The vulnerable lab installs JCE 2.9.99.4, while the patched lab installs 2.9.99.5. Both labs expose Joomla on 127.0.0.1:9999 and use MariaDB as a backend. The entrypoint scripts are largely Joomla container setup logic, with the notable difference being the JCE package URL installed at the end. Overall, this is a legitimate operational PoC repository intended to validate whether a target Joomla/JCE deployment is exploitable under the specific condition that PHP execution from the web-accessible tmp/ directory is allowed.

Repository contains a single Python exploit script and a short README. The main file, CVE-2026-48907.py, is an operational mass scanner/exploit for an alleged unauthenticated RCE in Joomla's JCE component. It is not framework-based. The script accepts a target list, uses multithreading, normalizes targets to HTTPS if no scheme is provided, and scans each host for JCE indicators using several known component/plugin file paths. It then checks a JCE endpoint (/index.php?option=com_jce&task=cpanel.feed), retrieves a Joomla CSRF token from the homepage, and attempts to import a crafted JCE profile that enables permissive upload settings including php/gif file types, disabled MIME validation, and rename capability. After that, it tries multiple PHP webshell payload variants, including GIF89a-prefixed payloads for content-type or magic-byte bypasses, to achieve code execution. The exploit's stated goal is to save only confirmed RCE results, meaning it verifies that uploaded PHP actually executes before recording the resulting shell URL to webshell.txt. Overall, this is a real exploit-oriented mass exploitation tool rather than a detector: it fingerprints targets, modifies JCE configuration through profile import, uploads a webshell, and confirms arbitrary command execution over HTTP.