Skip to content

gh1mau/masta-cve-2026-48907

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

MASTA CVE-2026-48907 Scanner

Single-file, self-contained scanner for Joomla! JCE Editor < 2.9.99.5 β€” Unauthenticated Remote Code Execution (CVE-2026-48907)
Author: Hussein Mohamed (masta ghimau)


Caution

🚨 DISCLAIMER β€” READ BEFORE USE

THIS IS AN INTRUSIVE SECURITY TESTING TOOL.

THIS TOOL IS FOR AUTHORIZED SECURITY ASSESSMENTS ONLY.
Scanning systems you do NOT own or have WRITTEN PERMISSION to test is ILLEGAL in most jurisdictions.

The author (Hussein Mohamed masta ghimau) accepts ABSOLUTELY NO liability for any misuse, damage, legal action, or data loss arising from the use of this tool.

By running this scanner you agree to:

Only scan assets YOU OWN or have EXPLICIT WRITTEN CONSENT.

Understand that uploads a harmless POC PHP file to the target server as part of the intrusive accuracy check.

Manually delete every uploaded POC file immediately after use.

USE AT YOUR OWN RISK.

Important

Why "intrusive" matters for accuracy: To achieve the highest possible confidence and eliminate false positives, this tool performs a live math-verification payload test. It uploads a safe PHP proof-of-concept line and then confirms Remote Code Execution by verifying the exact computed math result returned by the server. Non-intrusive scanners that only read version strings can miss back-ported patches or custom hot-fixes. This tool verifies the vulnerability actually exists. Therefore, it is intrusive by design β€” use wisely and with full authorization.


Overview

masta-cve-2026-48907.py is a completely original, single-file Python scanner designed to detect CVE-2026-48907 in Joomla! instances running the JCE Editor component versions older than 2.9.99.5.

  • Pure stdlib HTTP β€” no requests/httpx dependency.
  • Self-contained β€” one .py file you can drop anywhere.
  • Graceful degradation β€” works without openpyxl or rich, but looks beautiful when they are installed.
  • Zero false-positive RCE β€” confirms with a math-verification payload.
  • Threaded bulk scanning β€” scan entire URL lists quickly via ThreadPoolExecutor.
  • Professional reporting β€” auto-generates styled Excel (.xlsx) reports with conditional colors.

Features

Feature Description
πŸ” Multi-source fingerprinting Detects Joomla! and JCE via meta tags, manifests, static assets, language files, and JCE-specific endpoints
πŸ›‘ WAF detection Identifies Cloudflare, Incapsula, Sucuri, and ModSecurity blocks
πŸ§ͺ Safe intrusive POC Uploads a harmless PHP math verifier (attributed + explicitly labeled for cleanup)
πŸ“Š Card-based terminal UI Rich Panel + Table cards (or ANSI fallback) per target
πŸ“ Excel report Auto-generated .xlsx with headers, freeze panes, column widths, and color-coded status cells
βš™οΈ Proxy support Route all traffic through Burp / ZAP / any HTTP proxy
🧡 Threaded Configurable worker threads for bulk lists

Requirements

  • Python 3.8+
  • (Optional) openpyxl for Excel reports
  • (Optional) rich for pretty terminal cards

Everything else is Python standard library (urllib, http.cookiejar, argparse, threading, etc.).


Installation

# 1. Clone the repo
git clone https://github.com/YOUR_USERNAME/masta-cve-2026-48907.git
cd masta-cve-2026-48907

# 2. (Optional but recommended) install extras
pip install -r requirements.txt

You can also run the script directly without installing anything (terminal output only, no Excel):

python masta-cve-2026-48907.py -u https://target.com

Usage

Single Target

python masta-cve-2026-48907.py -u https://target.com/joomla

Bulk List (Threaded)

python masta-cve-2026-48907.py -l targets.txt -t 10

Through a Proxy (e.g., Burp Suite)

python masta-cve-2026-48907.py -u https://target.com -p http://127.0.0.1:8080

Full Options

python masta-cve-2026-48907.py -h

  -u URL         Single target URL
  -l FILE        File containing URLs (one per line)
  -o OUTPUT      Custom Excel output path
  -t THREADS     Concurrent threads (default: 5)
  -p PROXY       Proxy URL (e.g. http://127.0.0.1:8080)
  --timeout N    Request timeout in seconds (default: 12)
  --verify-ssl   Enable SSL certificate verification (default: disabled)
  -v, --verbose  Show full per-target result cards during scan
  -d, --debug    Show internal HTTP request traces
  --no-color     Disable colored terminal output

Scanner Flow

Below is the complete scanning logic from input to final report.

flowchart TD
    A[User provides -u URL or -l FILE] --> B[Normalize & deduplicate targets]
    B --> C[Launch ThreadPoolExecutor]
    C --> D[For each target]

    D --> E1[probe_joomla<br/>GET /, meta, manifest,<br/>static assets, README]
    E1 --> F1{Joomla! detected?}
    F1 -- No --> R1[Status: NOT_JOOMLA]

    F1 -- Yes --> E2[probe_jce<br/>GET jce.xml, endpoints,<br/>JCE-specific markers]
    E2 --> F2{JCE detected?}
    F2 -- No --> R2[Status: SAFE<br/>JCE not installed]

    F2 -- Yes --> F3{Version >= 2.9.99.5?}
    F3 -- Yes --> R3[Status: PATCHED]

    F3 -- No --> E3[extract_csrf<br/>Parse Joomla! CSRF token]
    E3 --> F4{Token found?}
    F4 -- No --> R4[Status: PATCHED<br/>CSRF missing β†’ likely hardened]

    F4 -- Yes --> E5[Build math-verifier payload<br/>masta-cve-2026-48907-poc ...]
    E5 --> E6[Vector 1: Multipart POST<br/>profile_file upload to tmp/]
    E6 --> F5{HTTP 200?}

    F5 -- Yes --> E7["GET /tmp/masta-{rand}.xml.php"]
    E7 --> F6{Body contains<br/>MATHOK:3105:END ?}
    F6 -- Yes --> R5[Status: VULNERABLE<br/>Confidence: CONFIRMED]
    F6 -- No --> E8[Vector 2: Browser chain<br/>upload + rename via RPC]
    E8 --> F7{RCE confirmed?}
    F7 -- Yes --> R5

    F7 -- No --> E9[Check for WAF block page]
    E9 --> F8{WAF detected?}
    F8 -- Yes --> R6[Status: BLOCKED_BY_WAF]
    F8 -- No --> R7[Status: SAFE]

    F5 -- No --> E8

    R1 --> S[Append result to Excel + Terminal card]
    R2 --> S
    R3 --> S
    R4 --> S
    R5 --> S
    R6 --> S
    R7 --> S

    S --> D
    D --> T[Print Summary Dashboard]
    T --> U[Save Excel Report to reports/]
    U --> V[Print cleanup reminder for<br/>all uploaded POC files]

    style R5 fill:#ff0000,stroke:#333,color:#fff
    style R3 fill:#32CD32,stroke:#333,color:#000
    style R6 fill:#FFD700,stroke:#333,color:#000
Loading

Result Statuses

Status Meaning Confidence
VULNERABLE PHP payload executed and math proof verified. RCE is real. CONFIRMED
VULNERABLE_UPLOAD_ONLY File uploaded successfully, but PHP execution was blocked. Exploitable but not confirmed RCE. HIGH
PATCHED Joomla! / JCE detected and version is >= 2.9.99.5, or CSRF is hardened. HIGH / MEDIUM
SAFE JCE not installed, or exploit vectors failed (likely patched/hardened). HIGH
BLOCKED_BY_WAF A Web Application Firewall blocked the test. LOW
NOT_JOOMLA Target does not appear to be a Joomla! site. CERTAIN
ERROR Network / connectivity / unhandled exception. LOW

Screenshots

Terminal Output (Card View)

Replace the image below with your actual terminal screenshot.

Terminal Screenshot Placeholder

Excel Report

Replace the image below with your actual Excel report screenshot.

Excel Report Placeholder

Tip: Run the scanner against a local test Joomla! instance to generate real screenshots. Commit them into the assets/ folder and they will render automatically on GitHub.


Cleanup Warning

This scanner uploads a harmless PHP proof-of-concept to the target server to confirm the vulnerability. The tool will always print a reminder at the end of the scan listing all uploaded files. You must manually delete them after testing. These files are named masta-{random}.xml.php or similar and contain the clear text attribution line:

masta-cve-2026-48907-poc. This test is done as part of Security Assessment - masta ghimau.

Author & Legal

  • Author: Hussein Mohamed (masta ghimau)
  • CVE: CVE-2026-48907
  • Purpose: Authorized Joomla! JCE < 2.9.99.5 security assessments

By using this software you acknowledge full responsibility for your actions. The code is provided "as-is" with no warranties. If you do not understand the implications of running an intrusive RCE verification scanner, do not use this tool.


πŸ›‘ Use it to protect your own assets. Not to harm others.

About

cve-2026-48907 scanner

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages