Release date: 3 June 2026.
JCE 2.9.99.5 is a Critical Security Fix: update immediately
Vulnerability addressed by this Critical Security Fix:
- Insufficient access controls permitted unauthenticated users to upload editor profiles
Impact
The vulnerability could be used to upload arbitrary files to the server hosting a website.
Every Joomla! website running JCE is in scope and not just ones with public registration.
Read more: JCE 2.9.99.5 Critical Security Fix is released
For a very comprehensive review of this Critical Security Fix, and the impact of not immediately installing the update, we recommend you read the related post in the mysites.guru Blog.
This version is compatible with the Joomla! 5 and 6 Series and PHP 8.4 and 8.5.
The Backward Compatibility plugin does not need to be enabled to use it with Joomla! 5+
The next JCE release will be v3.0 when official support for the Joomla 3 CMS will be removed.
Read more: JCE Content Editor Release Notes
Heads Up
JCE 2.9.99.4 was also a Security Fix
Vulnerabilities addressed by the JCE 2.9.99.4 Security Fix were:
- Insufficient profile access validation in the file browser,
- Path traversal vulnerability in the file browser directory search action.
Information for users of Joomla! 3
Whilst official support for the Joomla 3 CMS will be removed when JCE v3.0 is released, the developer reports that minor updates addressing critical issues will continue to be provided for the 2.9.99 series using a supplemental version scheme, for example, 2.9.99.1, 2.9.99.2, etc.
This is to ensure Joomla 3 users remain supported for critical fixes while development progresses toward JCE v3.x.
Read more: Announcement by JCE Developer with release of JCE 2.9.99
Useful JCE Content Editor Information
JCE Resource Requirements
Before using JCE we recommend you check out the developer's web page detailing server requirements and more for the best experience using their excellent extension.
Video Tutorials
Visit the following link to make use of some really useful video tutorials at the developer's website.
JCE Developer recommends enabling IMagick PHP Extension
Reason: to improve performance when using the JCE Content Editor with images.
Read the developer's tutorial at the link below.
Quote:
"Image processing on your server is usually done by one of two PHP extensions - GD2 or IMagick. The latter is preferred, as it is more efficient, consumes less memory and is therefore better at processing large images. GD2 will always remove EXIF data from a resized image, regardless of the Remove EXIF Data option. You can check if IMagick is available on your site in System -> System Information -> PHP Information. Speak to your host if you do not see it listed." Source: JCE.
Meet the man behind JCE: Ryan Demmer
June 2024 edition of the Joomla! Community Magazine (JCM) includes a really engaging article with Ryan Demmer, developer of the JCE Content Editor.
Back up before updating any 3rd party Joomla! extension
Any update can break your website.
Perform a full backup of your website (database and files) before installing any update.
Your personal data is nobody's business.