Bottom line: CVE-2026-48907 (CVSS 10.0) in Joomla JCE is being actively exploited and enables PHP code execution through insufficient access control.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability in Joomla Content Editor (JCE) to its KEV catalog (Known Exploited Vulnerabilities) because it is actively being exploited in the field. The vulnerability allows attackers to execute arbitrary PHP code.
CISA has added the Joomla Content Editor vulnerability CVE-2026-48907 with the maximum CVSS score of 10.0 to the list of known, actively exploited security vulnerabilities. The JCE plugin (Widget Factory Joomla Content Editor) is used in many Joomla installations as a content management tool.
The problem lies in insufficient access control that allows attackers to execute arbitrary PHP code. This can lead to complete compromise of affected Joomla systems, including database access and lateral movement within the network.
For CISOs, inclusion in the KEV catalog means that the vulnerability has already been integrated into attack tools and is in active use. Organizations with Joomla installations should immediately verify whether JCE is installed, apply available patches, or disable the plugin.
Source: thehackernews.com · Published June 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.