Joomla extensions security vulnerabilities June 2026

June 2026 was not a good month if you were running a Joomla site. Within the space of a few weeks, three critical vulnerabilities were discovered in extensions used on a huge number of sites: the JCE editor, SP Page Builder and iCagenda. All three were roughly the same type of vulnerability, and all three were already being actively exploited before most site administrators realised anything was amiss.

The good news is that updates are now available for all three. The less good news is that installing an update closes the door, but if an attacker has already gained access, they’ll still be there after the update. That distinction is often overlooked, and it’s precisely where sites still end up getting compromised.

What exactly went wrong

All three vulnerabilities boil down to the same thing. Somewhere within the extension, there was a component that accepted an uploaded file without checking who the uploader was – meaning no login was required – and without properly verifying the type of file. This allowed an attacker to place a PHP file on the server and then execute it. In practice, this means complete control over your site: extracting data, modifying pages, installing a backdoor, or using your server to attack other sites. In technical terms, this is known as remote code execution, and it’s pretty much the worst thing that can happen to a website.

Below, I’ll go through each of the three in turn: what the extension is, what went wrong and what you need to do.

JCE: unauthenticated profile upload, secure from version 2.9.99.6 onwards

JCE, which stands for Joomla Content Editor, is the most widely installed editor for Joomla. On a great many sites, it replaces the standard editor, often without the administrator even realising that it is a separate extension. It is precisely this ubiquity that makes a vulnerability in it so attractive to attackers.

The vulnerability allowed visitors without a login to upload editor profiles, and via this workaround, any file could be placed on the server, including executable PHP files. The developers responded in two stages: first with an emergency update (2.9.99.5) that patched the vulnerability, and shortly afterwards with 2.9.99.6, the result of a few days’ thorough review of the entire extension and the tightening of input validation. Important detail: 2.9.99.6 is the version you need to be running, not 2.9.99.5. So don’t stop halfway.

Moreover, this isn’t the first time JCE has had an upload vulnerability. Years ago, there was another one that was exploited on a large scale, and that’s precisely why you must take a new JCE vulnerability seriously straight away: attack bots know that the editor runs just about everywhere. Update to 2.9.99.6 via the Joomla updater or directly from the developer; the Pro version works fine on Joomla 3, 4, 5 and 6. If you can’t update, temporarily remove JCE. Afterwards, check whether any editor profiles have been added that you did not create.

SP Page Builder: upload vulnerability that creates hidden administrators, patched in 6.6.2

SP Page Builder by JoomShaper is one of the most popular page builders for Joomla, allowing you to drag and drop elements to build pages without coding. The vulnerability was in an upload function within the component itself – the task that normally allows you to upload your own icon (asset.uploadCustomIcon). This function accepted a file without requiring any login, allowing an attacker to place and execute a PHP webshell.

What makes this vulnerability particularly troublesome is what attackers actually did with it. They used the control they gained to create a hidden Super User, ensuring they retained their own point of entry, even after you’ve duly updated the system. Another point to note: a firewall rule designed to block the JCE attack will not automatically block this one. It uses a different file extension with a different pattern, so relying solely on your WAF is not enough here.

Every version up to and including 6.6.1 is vulnerable; this has been fixed in 6.6.2. So update to 6.6.2 and then check your user list for administrators you did not create yourself.

iCagenda: file upload in the events component, fixed in 4.0.8

iCagenda by JoomliC is a calendar and events component, used on sites that publish activities or an events calendar. The vulnerability was an unauthenticated file upload in the directory where the component stores its uploads, again resulting in remote code execution.

This was a genuine zero-day vulnerability: it was already being exploited before a fix was available. The developer had version 4.0.8 ready on the very same day. If you want to check your logs to see whether your site has been targeted, look out for a pattern where a bot first posts something to the site and then immediately requests a .php file from the component’s upload directory. This is the kind of attack that assumes it has already gained access.

Update to 4.0.8 and check the component’s upload folder for PHP files that do not belong there.

Why this keeps happening with Joomla extensions

This is no coincidence, nor is it down to Joomla itself. The pattern is always the same. A popular extension has a component somewhere that is authorised to receive files – a media manager, an icon uploader, an event attachment – and somewhere in that chain, a check is missing. The more sites running such an extension, the more valuable that single vulnerability becomes, because an attacker only needs to find it once.

After that, it happens automatically. Bots scan the internet en masse for sites running the vulnerable extension and unleash the same trick everywhere. Your site doesn’t even need to be of particular interest. It’s enough that you’re running the wrong extension in the wrong version. That’s precisely why standalone extensions, however handy they may be, represent your greatest surface area of risk: the Joomla core is strictly monitored, but every extension you install is someone else’s code that you simply have to trust.

The intruder may already be inside

This is the real message. If one of these vulnerabilities was exploited on your site before you updated, the attacker will have left something behind during that period to allow them to remain inside. Updating closes the hole through which they got in, but it doesn’t remove what they’ve planted in the meantime. Here are three things you might find:

• A hidden administrator. An additional Super User with a plausible name – think of something like “Web Editor” or “Admin Backup” – and often an email address that makes no sense. That account is simply listed in your user list. You just need to look there to spot it.
• A webshell. An uploaded PHP file that allows the attacker to execute commands again later, even if you’ve already patched the original vulnerability. These files are usually found in places you wouldn’t expect, in upload folders or hidden amongst legitimate files.
• A malicious setting within the extension itself. In JCE, for example, an editor profile that is permitted to do far more than it should.

At the same time, the reverse is also true: not everything that looks suspicious is a hack. If you run a scanner over your site, you’ll often get a list of files flagged as ‘suspicious’ because they resemble a certain pattern. That’s something to look into, not something to panic about and delete straight away. The difference lies between “this file resembles something malicious in its structure” and “this file has demonstrably been modified or injected”. The former requires a closer look, the latter requires action. Anyone who fails to make that distinction will either wreck their own site or miss the real backdoor.

What you should do now

1. At this point, you’re probably already too late if you haven’t carried out the steps below on the same day (16 June 2026). Your best course of action now is to restore a backup from early June.
2. Update immediately if you’re running any of these three. JCE to 2.9.99.6, SP Page Builder to 6.6.2, iCagenda to 4.0.8. Do this via the Joomla updater or directly from the developer. If you really cannot update, disable the extension until you can.
3. Afterwards, check whether anything has happened. Go through your list of Super Users to check for accounts you didn’t create yourself, and look in the upload folders of the relevant extension for PHP files that shouldn’t be there.
4. Don’t forget your other sites. If you run multiple Joomla sites, or manage them for clients, go through them all. An attack bot makes no distinction, so neither should you. Also check your development and test websites. Even though these aren’t indexed, they’re easy for bots to find.
5. Keep a pre-update backup to hand, in case you need to roll back or want to compare.