JCE Pro 2.9.99.6 Is a Hardening Release After a Full Audit of Joomla's Most-Installed Editor

JCE (Joomla Content Editor) ships on more Joomla sites than any other editor extension. It sits in the top two of our live extension ranking, neck and neck with Akeeba Backup. If you look after a stack of Joomla sites, nearly all of them almost certainly have JCE installed.

On 8 June 2026, the JCE developer released JCE Pro 2.9.99.6. This one reads differently from the two releases before it. Rather than patching a single named flaw, the developer describes spending four days on “a comprehensive analysis and audit of the JCE extension, narrowing entry points, and hardening input validation.” It is a strongly recommended update for every site, framed as defense in depth rather than a fire drill.

This is the third JCE security release in under two weeks. The 2.9.99.4 release on 28 May patched two authenticated-only bugs in the file browser. The 2.9.99.5 release on 3 June was the serious one: an unauthenticated editor profile upload that could be used to upload arbitrary files to the server, tracked as CVE-2026-48907. 2.9.99.6 is the developer’s follow-up to all of that, a deliberate sweep of the codebase to find and close whatever the first two fixes did not.

This post covers what 2.9.99.6 actually changes, why a hardening release with no named CVE still belongs on your patch-today list, and how to find and update every JCE install across the Joomla sites you manage with mySites.guru in one batch instead of one administrator panel at a time.

TL;DR

• JCE Pro 2.9.99.6 released 8 June 2026, the third JCE security release in under two weeks
• Result of a four-day audit of the editor that narrowed entry points and hardened input validation
• Framed as defense in depth, not a fix for one named flaw. No CVE assigned to this release itself
• Update, 9 June: working exploit code for CVE-2026-48907, the flaw patched in 2.9.99.5, is now public on GitHub. Any site below 2.9.99.5 is racing a published exploit
• The developer calls it a strongly recommended update for all sites
• Supersedes every earlier release, including last week’s 2.9.99.5 (CVE-2026-48907, unauthenticated file upload) and 2.9.99.4
• If you already updated to 2.9.99.5, update again to 2.9.99.6
• Runs natively on Joomla 3, 4, 5, and 6 without the Backwards Compatibility plugin
• The release announcement recommends mySites.guru by name for managing updates across multiple sites
• Update via the Joomla Update Manager or the JCE downloads area
• If you manage multiple sites, mySites.guru’s mass updater pushes the update to every affected site at once

What 2.9.99.6 actually is

The release announcement is short and, refreshingly, honest about what kind of update this is. In the developer’s own words:

Following on from last week’s emergency update, I have spent the last 4 days conducting a comprehensive analysis and audit of the JCE extension, narrowing entry points, and hardening input validation. This release is the result of that audit. It is a strongly recommended update for all sites.

There is no single security line naming one bug, the way 2.9.99.5 carried “insufficient access controls permitted unauthenticated users to upload editor profiles.” At the time this post goes out, the editor changelog has not yet published a detailed 2.9.99.6 entry. So treat this as exactly what the developer describes: a proactive hardening pass, not a response to a fresh public disclosure.

That distinction mattered for how you triage it, and it lasted exactly one day. 2.9.99.5 was a “drop everything” release because it named an unauthenticated file upload. When it landed, 2.9.99.6 read as a “do it today, but you are not racing a published exploit” release. Then, on 9 June, working exploit code for CVE-2026-48907 was published on GitHub. For sites already on 2.9.99.5, updating to 2.9.99.6 today is still the right pace. For any site still below 2.9.99.5, you are back to drop everything, because the flaw it patched now has a public exploit, and the fix is the same either way: go straight to 2.9.99.6.

Why a hardening release still earns a patch-today slot

It is tempting to file “no CVE of its own, just hardening” under “next maintenance window.” On most extensions, that would be a reasonable call. On JCE specifically, it is not, for three reasons.

First, reach. JCE is on more Joomla sites than any other editor. A hardening change to JCE touches a larger share of your estate than almost any other single update you will apply this month.

Second, context. This audit was triggered by a genuine unauthenticated file upload disclosed days earlier. When a developer says “I went looking for more after finding that one,” the sensible assumption is that the audit closed things worth closing, even if they have not been written up as individual advisories. Input validation hardening on an editor that handles file paths and uploads is not cosmetic. The same week this release landed, we found that unauthenticated upload being exploited on a live Joomla site, and on 9 June working exploit code for it was published on GitHub for anyone to run. That is exactly the kind of real-world escalation that makes a hardening pass worth applying on every install before anyone goes looking again.

Third, cost. The update is free, config-free, and carries no functional changes for either Free or Pro. The risk of applying it is effectively zero. The only thing “wait and see” buys you is a longer window in which a site sits below the current security baseline of its most-installed extension.

How 2.9.99.6 fits with 2.9.99.4 and 2.9.99.5

Three releases in twelve days is unusual, and it helps to see them as one connected story rather than three separate scares.

The 2.9.99.4 release closed two authenticated-only issues in the file browser. The 2.9.99.5 release closed the serious one, an unauthenticated profile upload that could lead to arbitrary file upload. 2.9.99.6 is the developer’s deliberate follow-through: having found and fixed a real unauthenticated flaw, they audited the rest of the editor to harden it before anyone else went looking. That is the response you want to see from a maintainer after an emergency fix, and it is a point in JCE’s favour, not against it.

If you have been tracking these releases, the practical upshot is simple. The target version moved twice in a week. Whatever you patched to last, the current floor is now 2.9.99.6.

The JCE developer recommends mySites.guru by name

One detail in the 2.9.99.6 announcement is worth calling out, because it speaks directly to the problem this release creates for anyone running more than a couple of Joomla sites. After three updates in twelve days, the developer adds:

Update fatigue is real. If you manage multiple sites you might consider services like BackupMonkey and mySites.guru, which assist in managing and updating multiple sites.

That is the JCE developer, unprompted, pointing multi-site owners at mySites.guru in the same announcement that asks everyone to update again. It is a fair point. Three releases in twelve days is exactly the scenario where logging into administrator panels one at a time stops being viable, and where a central extension inventory and a mass updater earn their keep.

How to update JCE on a single Joomla site

For one site, the update is routine. Joomla’s built-in extension update tooling picks up 2.9.99.6 as soon as the JCE update server publishes it.

1. Log in to the Joomla administrator
2. Go to System -> Update -> Extensions
3. Click Check for Updates
4. Select the JCE row
5. Click Update

If the update does not appear, check that JCE’s update site is enabled under System -> Update -> Update Sites. For JCE Pro, you also need a valid subscription key entered under Components -> JCE Editor -> Options -> Subscription Key for the Pro update channel to be reachable. JCE Free pulls updates from the Joomla extension feed and needs no key.

After updating, hard-refresh the editor in a logged-in session to flush cached JCE assets. The version under Components -> JCE Editor should read 2.9.99.6 once you reload.

How to find every Joomla site below 2.9.99.6 using mySites.guru

That is the easy case. The hard case is “I look after 40 client Joomla sites, JCE just shipped its third release in two weeks, and I have lost track of which version each site is on.”

That is what mySites.guru is built for. Twice a day, a snapshot runs against every connected Joomla site and indexes every installed extension, including its exact version. You can answer the JCE 2.9.99.6 question in seconds instead of logging into 40 administrator panels in sequence.

Open the extension search in your dashboard and look up the Editor - JCE entry. You see every version of JCE across your portfolio, grouped by version number, with each site that runs it listed underneath. Anything below 2.9.99.6 needs the update. Sites already on 2.9.99.6, or which auto-updated overnight, are green.

You can also separate JCE Free from JCE Pro if you run a mixed estate. Both editions ship the same release from the same update server, but Pro is gated by a subscription key, so it helps to know which sites sit in which group when you start chasing the stragglers, particularly the lapsed Pro subscriptions that quietly stop receiving updates.

Push 2.9.99.6 across every affected site in one batch

Once you know which sites are behind, you do not patch them one by one. The mySites.guru mass extension updater lets you select every site running an outdated JCE and trigger the update across all of them at once.

The mass update screen groups every JCE install by the version it can update to, with an “Apply to all” button per group and per-site controls when you want to be selective. Sites stuck on much older branches (2.6, 2.7, 2.8) get patched in the same sweep as ones already on the 2.9.99.x line. Behind the scenes, the platform calls each site’s connector, pulls the 2.9.99.6 package from JCE’s update server, installs it, and reports back with a pass or fail per site and a log entry against the site. Any site that is offline, firewalled, or running an outdated connector surfaces as a clear failure rather than a silent miss.

This is the workflow the JCE developer is gesturing at when they mention update fatigue. Three releases in twelve days is three full rounds of “log in, check, update, verify” per site by hand, or three clicks of “Apply to all” across the estate.

Sites with auto-updates enabled were patched overnight

This is exactly the scenario automatic extension updates exist for. The mySites.guru auto-updater pushes releases like 2.9.99.6 to opted-in Joomla sites without anyone logging in. If your sites are enrolled, the update has landed, the version is verified, and an audit entry is sitting in the activity log. If they are not, three JCE releases in two weeks is a strong argument to change that. The Automatic Updates for Any Joomla Extension feature already covers JCE Free and JCE Pro through Joomla’s native extension update API. Turn it on and the next JCE release patches itself while you sleep. Enable auto-updates from your dashboard or start a free trial if you do not have an account yet.

How quickly should you patch JCE 2.9.99.6?

Patch today on every Joomla site running JCE. There is no functional change in 2.9.99.6 that would justify holding back, the update is free and config-free for both Free and Pro, and the developer has explicitly labelled it strongly recommended for all sites.

When this post first went out, the line here was that you were not racing a published exploit. Since 9 June, you are: working exploit code for CVE-2026-48907 is public on GitHub, and we had already found the flaw being exploited on live sites before that. For any site still below 2.9.99.5, this is worth dropping a meeting for. For sites already on 2.9.99.5, “today” remains the right window: a hardening release on your most-installed editor, shipped days after a real unauthenticated file upload was found in the same component, is not the one to leave sitting in the queue.

If you run scheduled overnight automation, the cleanest answer is to let the auto-updater handle it and check the activity log in the morning. If you patch manually, do the whole estate in one batch rather than picking sites off individually.

Edge cases and gotchas

The same caveats that applied to 2.9.99.4 and 2.9.99.5 apply here, because the update mechanism is identical.

Lapsed JCE Pro subscriptions

Both editions pull updates from JCE’s own update server, not the Joomla Extensions Directory. The catch for Pro is the subscription key. If a Pro install’s subscription has lapsed, 2.9.99.6 will not appear in that site’s update list and the site sits silently on an older version. After three releases in two weeks, lapsed Pro subscriptions are the most likely reason a site is still behind. Scan your mySites.guru extension report 48 hours after release for any JCE Pro install still below 2.9.99.6. Those are almost certainly the lapsed keys. The fix is to renew, or drop a temporary key into the site, pull the release, then sort the renewal afterwards.

Sites still on JCE branches older than 2.9

A JCE 2.6.x or 2.7.x install on a long-tail Joomla 3 site is far more exposed than this single release implies. 2.9.99.6 is for the current branch. Older lines never received the 2.9.99.5 unauthenticated file upload fix, let alone this hardening pass, and carry years of unpatched issues on top. The right answer is to bring both Joomla and JCE up to date together. mySites.guru’s migration tooling helps triage which sites need the most work. If a client genuinely refuses to modernise, at minimum disable JCE on that site and fall back to TinyMCE or CodeMirror until it can be brought current.

Custom Editor Profiles with broad filesystem access

If you previously set up an Editor Profile with broad filesystem access (the whole images/ tree, or worse), the principle of least privilege still applies after this update. A hardening release reduces the attack surface, but a profile with broad file permissions remains a high-value target for whatever the next JCE issue turns out to be. Review every profile under Components -> JCE Editor -> Editor Profiles on each site and lock each one to the narrowest path that still lets its user group work.

Does this affect WordPress?

No. JCE is a Joomla-only editor extension. There is no WordPress build of JCE Pro or JCE Free, no shared codebase, and no equivalent release for WordPress. WordPress sites use the core block editor or TinyMCE, which have their own separate histories. If you run a mixed estate, the WordPress half is unaffected by this release. The Joomla half needs the update.

Further Reading

• JCE Pro 2.9.99.6 release announcement - the developer’s note on the audit and hardening pass
• JCE Free/Pro 2.9.99.5 Security Update - the unauthenticated file upload (CVE-2026-48907) that triggered this audit
• JCE Free/Pro 2.9.99.4 Security Update - the two authenticated-only file browser bugs from 28 May
• JCE editor changelog - the developer’s running changelog
• JCE downloads area - direct package downloads for JCE Pro subscribers
• Top 50 Joomla Extensions - live ranking from the mySites.guru database, where JCE consistently ranks in the top two
• How to update Joomla, Joomla extensions, WordPress and WordPress plugins from mySites.guru - the mass updater workflow used for rollouts like this
• Automatic updates for any Joomla extension - enrol JCE in scheduled overnight updates so the next release patches itself

For broader agency guidance on managing Joomla security and updates across a portfolio, see our Joomla agency handbook.