Single-file, self-contained scanner for Joomla! JCE Editor < 2.9.99.5 β Unauthenticated Remote Code Execution (CVE-2026-48907)
Author: Hussein Mohamed (masta ghimau)
THIS TOOL IS FOR AUTHORIZED SECURITY ASSESSMENTS ONLY.
Scanning systems you do NOT own or have WRITTEN PERMISSION to test is ILLEGAL in most jurisdictions.
The author (Hussein Mohamed masta ghimau) accepts ABSOLUTELY NO liability for any misuse, damage, legal action, or data loss arising from the use of this tool.
By running this scanner you agree to:
Only scan assets YOU OWN or have EXPLICIT WRITTEN CONSENT.
Understand that uploads a harmless POC PHP file to the target server as part of the intrusive accuracy check.
Manually delete every uploaded POC file immediately after use.
USE AT YOUR OWN RISK.
Important
Why "intrusive" matters for accuracy: To achieve the highest possible confidence and eliminate false positives, this tool performs a live math-verification payload test. It uploads a safe PHP proof-of-concept line and then confirms Remote Code Execution by verifying the exact computed math result returned by the server. Non-intrusive scanners that only read version strings can miss back-ported patches or custom hot-fixes. This tool verifies the vulnerability actually exists. Therefore, it is intrusive by design β use wisely and with full authorization.
masta-cve-2026-48907.py is a completely original, single-file Python scanner designed to detect CVE-2026-48907 in Joomla! instances running the JCE Editor component versions older than 2.9.99.5.
- Pure stdlib HTTP β no
requests/httpxdependency. - Self-contained β one
.pyfile you can drop anywhere. - Graceful degradation β works without
openpyxlorrich, but looks beautiful when they are installed. - Zero false-positive RCE β confirms with a math-verification payload.
- Threaded bulk scanning β scan entire URL lists quickly via
ThreadPoolExecutor. - Professional reporting β auto-generates styled Excel (
.xlsx) reports with conditional colors.
| Feature | Description |
|---|---|
| π Multi-source fingerprinting | Detects Joomla! and JCE via meta tags, manifests, static assets, language files, and JCE-specific endpoints |
| π‘ WAF detection | Identifies Cloudflare, Incapsula, Sucuri, and ModSecurity blocks |
| π§ͺ Safe intrusive POC | Uploads a harmless PHP math verifier (attributed + explicitly labeled for cleanup) |
| π Card-based terminal UI | Rich Panel + Table cards (or ANSI fallback) per target |
| π Excel report | Auto-generated .xlsx with headers, freeze panes, column widths, and color-coded status cells |
| βοΈ Proxy support | Route all traffic through Burp / ZAP / any HTTP proxy |
| π§΅ Threaded | Configurable worker threads for bulk lists |
- Python 3.8+
- (Optional)
openpyxlfor Excel reports - (Optional)
richfor pretty terminal cards
Everything else is Python standard library (urllib, http.cookiejar, argparse, threading, etc.).
# 1. Clone the repo
git clone https://github.com/YOUR_USERNAME/masta-cve-2026-48907.git
cd masta-cve-2026-48907
# 2. (Optional but recommended) install extras
pip install -r requirements.txtYou can also run the script directly without installing anything (terminal output only, no Excel):
python masta-cve-2026-48907.py -u https://target.compython masta-cve-2026-48907.py -u https://target.com/joomlapython masta-cve-2026-48907.py -l targets.txt -t 10python masta-cve-2026-48907.py -u https://target.com -p http://127.0.0.1:8080python masta-cve-2026-48907.py -h
-u URL Single target URL
-l FILE File containing URLs (one per line)
-o OUTPUT Custom Excel output path
-t THREADS Concurrent threads (default: 5)
-p PROXY Proxy URL (e.g. http://127.0.0.1:8080)
--timeout N Request timeout in seconds (default: 12)
--verify-ssl Enable SSL certificate verification (default: disabled)
-v, --verbose Show full per-target result cards during scan
-d, --debug Show internal HTTP request traces
--no-color Disable colored terminal outputBelow is the complete scanning logic from input to final report.
flowchart TD
A[User provides -u URL or -l FILE] --> B[Normalize & deduplicate targets]
B --> C[Launch ThreadPoolExecutor]
C --> D[For each target]
D --> E1[probe_joomla<br/>GET /, meta, manifest,<br/>static assets, README]
E1 --> F1{Joomla! detected?}
F1 -- No --> R1[Status: NOT_JOOMLA]
F1 -- Yes --> E2[probe_jce<br/>GET jce.xml, endpoints,<br/>JCE-specific markers]
E2 --> F2{JCE detected?}
F2 -- No --> R2[Status: SAFE<br/>JCE not installed]
F2 -- Yes --> F3{Version >= 2.9.99.5?}
F3 -- Yes --> R3[Status: PATCHED]
F3 -- No --> E3[extract_csrf<br/>Parse Joomla! CSRF token]
E3 --> F4{Token found?}
F4 -- No --> R4[Status: PATCHED<br/>CSRF missing β likely hardened]
F4 -- Yes --> E5[Build math-verifier payload<br/>masta-cve-2026-48907-poc ...]
E5 --> E6[Vector 1: Multipart POST<br/>profile_file upload to tmp/]
E6 --> F5{HTTP 200?}
F5 -- Yes --> E7["GET /tmp/masta-{rand}.xml.php"]
E7 --> F6{Body contains<br/>MATHOK:3105:END ?}
F6 -- Yes --> R5[Status: VULNERABLE<br/>Confidence: CONFIRMED]
F6 -- No --> E8[Vector 2: Browser chain<br/>upload + rename via RPC]
E8 --> F7{RCE confirmed?}
F7 -- Yes --> R5
F7 -- No --> E9[Check for WAF block page]
E9 --> F8{WAF detected?}
F8 -- Yes --> R6[Status: BLOCKED_BY_WAF]
F8 -- No --> R7[Status: SAFE]
F5 -- No --> E8
R1 --> S[Append result to Excel + Terminal card]
R2 --> S
R3 --> S
R4 --> S
R5 --> S
R6 --> S
R7 --> S
S --> D
D --> T[Print Summary Dashboard]
T --> U[Save Excel Report to reports/]
U --> V[Print cleanup reminder for<br/>all uploaded POC files]
style R5 fill:#ff0000,stroke:#333,color:#fff
style R3 fill:#32CD32,stroke:#333,color:#000
style R6 fill:#FFD700,stroke:#333,color:#000
| Status | Meaning | Confidence |
|---|---|---|
| VULNERABLE | PHP payload executed and math proof verified. RCE is real. | CONFIRMED |
| VULNERABLE_UPLOAD_ONLY | File uploaded successfully, but PHP execution was blocked. Exploitable but not confirmed RCE. | HIGH |
| PATCHED | Joomla! / JCE detected and version is >= 2.9.99.5, or CSRF is hardened. |
HIGH / MEDIUM |
| SAFE | JCE not installed, or exploit vectors failed (likely patched/hardened). | HIGH |
| BLOCKED_BY_WAF | A Web Application Firewall blocked the test. | LOW |
| NOT_JOOMLA | Target does not appear to be a Joomla! site. | CERTAIN |
| ERROR | Network / connectivity / unhandled exception. | LOW |
Replace the image below with your actual terminal screenshot.
Replace the image below with your actual Excel report screenshot.
Tip: Run the scanner against a local test Joomla! instance to generate real screenshots. Commit them into the assets/ folder and they will render automatically on GitHub.
This scanner uploads a harmless PHP proof-of-concept to the target server to confirm the vulnerability. The tool will always print a reminder at the end of the scan listing all uploaded files. You must manually delete them after testing. These files are named masta-{random}.xml.php or similar and contain the clear text attribution line:
masta-cve-2026-48907-poc. This test is done as part of Security Assessment - masta ghimau.
- Author: Hussein Mohamed (masta ghimau)
- CVE: CVE-2026-48907
- Purpose: Authorized Joomla! JCE < 2.9.99.5 security assessments
By using this software you acknowledge full responsibility for your actions. The code is provided "as-is" with no warranties. If you do not understand the implications of running an intrusive RCE verification scanner, do not use this tool.
π‘ Use it to protect your own assets. Not to harm others.

