The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical security issue affecting the Widget Factory Joomla Content Editor (JCE). The vulnerability, identified as CVE-2026-48907, carries a maximum severity rating with a CVSS score of 10.0.
This flaw stems from improper access controls within the JCE extension, enabling unauthenticated attackers to create new editor profiles without authorization. By abusing this capability, threat actors can upload and execute malicious PHP code on affected systems, potentially leading to full compromise of the underlying Joomla environment.
According to CISA, the vulnerability allows attackers to bypass standard restrictions and gain execution capabilities through the creation of unauthorized editor profiles. This effectively opens the door for remote code execution in vulnerable installations.
The issue impacts JCE versions ranging from 1.0.0 through 2.9.99.4. It has been addressed in version 2.9.99.5, which was released on June 3, 2026. Although detailed information about active exploitation campaigns has not yet been publicly disclosed, the inclusion in the KEV catalog indicates confirmed exploitation in the wild.
In line with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities listed in the KEV catalog within specified deadlines to reduce exposure to ongoing threats.
Security professionals also strongly advise private organizations to review the KEV list regularly and promptly address any applicable vulnerabilities in their environments.
CISA has set a remediation deadline of June 19, 2026, for federal agencies to resolve this issue.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
