CISA Adds Joomla JCE Flaw CVE-2026-48907 to KEV Catalog

CISA's KEV addition is the defender's signal to verify Joomla JCE patches across managed deployments, confirming every Content Editor install is on the fixed 2.9.99.5 build before automated scanning reaches it.

Share
Flat white line-art of a content editor window beside a catalog list card, on an Antique Gold background — CISA Joomla JCE KEV addition.

Key Takeaways

  • CISA on June 16, 2026 added CVE-2026-48907, a maximum-severity improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation; the flaw carries a CVSS score of 10.0 and can allow the upload and execution of PHP code through the creation of new editor profiles by unauthenticated users.
  • The vulnerability affects JCE versions 1.0.0 through 2.9.99.4 and is fixed in version 2.9.99.5, released on June 3, 2026; because JCE is one of the most widely installed editor extensions across the Joomla ecosystem, the population of potentially exposed sites is large.
  • Reporting indicates exploitation is automated and working exploit code is public, making the KEV addition a clear signal for defenders managing Joomla deployments to inventory every JCE install, confirm it is on the fixed build, and check for signs of prior compromise — since patching closes the entry point but does not remove anything an attacker may already have placed.

CISA's KEV addition is the defender's signal to verify Joomla JCE patches across managed deployments.

WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) on June 16, 2026 added a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) extension to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2026-48907 and assigned a CVSS score of 10.0, the vulnerability is an improper access control issue that, according to CISA, could allow the upload and execution of PHP code through the creation of new editor profiles by unauthenticated users. The extension is one of the most widely deployed editors in the Joomla content management system (CMS) ecosystem, which is what gives the listing its weight.

For defenders, the KEV addition is less a breaking-news event than a prioritization signal. It tells federal agencies — and, by extension, every organization that manages Joomla sites — that this is a flaw being used against real systems now, not a theoretical risk. Reporting indicates the attacks are automated and working exploit code is public, which collapses the window between disclosure and opportunistic scanning. That places the vulnerability squarely in the same operational category as other recent KEV entries that drove federal patch mandates for widely hosted web software.

At a Glance
FieldDetails
CVECVE-2026-48907
ProductJoomla CMS (third-party extension)
ExtensionWidget Factory Joomla Content Editor (JCE)
TypeImproper access control — unauthenticated PHP code execution
AffectedJCE 1.0.0 through 2.9.99.4
Fixed inJCE 2.9.99.5 (released June 3, 2026)
KEV deadlineNot specified
StatusAdded to CISA KEV June 16, 2026; active exploitation reported

What CISA Added

On June 16, 2026, CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog, the agency's running list of flaws it has confirmed are being exploited in the wild. The agency's alert describes the Widget Factory Joomla Content Editor as containing an improper access control vulnerability that could allow for the upload and execution of PHP code via the creation of new editor profiles for unauthenticated users. The vulnerability carries a CVSS score of 10.0, the maximum on the scale, reflecting that it requires no authentication, can be triggered over the network, and leads to code execution on the underlying server.

The root cause, as described in reporting, is a broken access control issue in JCE's profile import function. By sending crafted requests to the import endpoint, an unauthenticated user can bypass the checks that should gate that function, create a new editor profile, and use it to place and run PHP files on the host. That chain — from an exposed import endpoint to arbitrary code execution — is what turns a configuration-level weakness into a full server-side foothold, and it is why the flaw sits at the top of the severity band rather than in the middle of it.

JCE is a third-party extension rather than part of Joomla core, but the distinction matters less than its reach. It is among the most widely installed editor extensions across Joomla deployments, which means the population of sites potentially running an affected version is large. A KEV listing for a flaw in software this broadly deployed is the kind of entry that tends to drive coordinated patching across both the public sector and the managed-hosting providers that run Joomla sites at scale.

Why Joomla Deployments Matter to Defender Teams

Joomla powers a meaningful slice of the web's content management footprint, and much of that footprint sits on shared and managed hosting where a single operator may be responsible for hundreds or thousands of sites. That concentration is exactly what makes a maximum-severity, unauthenticated flaw in a popular extension a defender's problem rather than only an individual site owner's. One unpatched JCE install is a route to code execution; a hosting estate full of them is a target-rich environment for automated scanning.

The economics of CMS exploitation favor the attacker here. When a flaw requires no credentials and the vulnerable extension is common, opportunistic operators can scan broadly and exploit at low cost, treating every reachable install as a candidate. That pattern is familiar from prior incidents across the CMS landscape, including SQL injection campaigns against Ghost CMS deployments and supply-chain compromises that rode popular WordPress plugins into thousands of sites at once. The common thread is reach: the more widely an affected component is deployed, the more valuable a single working exploit becomes.

For defender teams, the practical consequence is that the unit of risk is not one site but the whole managed estate. A security team or hosting provider that knows a popular extension carries a KEV-listed, actively exploited flaw should treat the question "are any of our managed sites running an affected JCE build?" as urgent and answerable, not as background hygiene. The KEV listing exists precisely to make that prioritization call easy.

Patch Verification for Joomla Site Owners and Hosting Providers

The remediation is unambiguous: update JCE to version 2.9.99.5, the release in which Widget Factory fixed the flaw. That build shipped on June 3, 2026, roughly two weeks before the KEV listing, so a fixed version was already available by the time CISA confirmed active exploitation. The affected range runs from JCE 1.0.0 through 2.9.99.4, which means any install that has not been updated to 2.9.99.5 or later should be treated as exposed.

The verification work is where most of the effort lands. For a single site, confirming the JCE version is a quick check in the Joomla extensions manager. For a hosting provider or an organization running many Joomla sites, the task is an inventory problem: enumerate every Joomla instance, identify which ones have JCE installed, and record the installed version against the 2.9.99.5 threshold. The goal is to avoid assuming that a representative site speaks for the whole estate, because extension versions can drift independently across installs that were set up or last maintained at different times.

Patching also carries a caveat that defenders should not skip over. As reporting from The Hacker News on this flaw stresses, updating closes the entry point but does not clean a site that was already compromised. If a site was reached before the update, the fix will not remove a web shell, rogue profile, or other artifact an operator may have left behind. That makes patch verification the first step of two: confirm the fixed build, then check whether the install shows signs of having already been exploited before the patch went on.

Defender Posture for Shared-Hosting Environments

Shared and managed hosting raises the stakes because the blast radius of a single compromised site can extend beyond that site. An attacker who achieves PHP code execution on one tenant may be positioned to probe the boundaries between accounts, abuse shared resources, or use the foothold as a staging point. For providers, that is why a KEV-listed flaw in a popular CMS extension is a fleet-level event, and why the response is best coordinated centrally rather than left to individual customers to discover on their own.

The detection and hardening opportunities map directly onto how this flaw is exploited. Because the technique centers on creating a new editor profile through an import endpoint and then placing PHP files, defenders can look for the signatures of that chain: unexpected new editor profiles, requests to the JCE import endpoint from unauthenticated sources, and the appearance of new or modified PHP files in directories that should be static. Telemetry that surfaces unexpected file writes on a Joomla host is especially relevant, since the end state of the exploit is a file dropped and executed.

None of this replaces patching — it complements it. Restricting who can reach administrative and import endpoints, logging requests to them, and monitoring for unexpected file changes are durable controls that outlast any single CVE. For a hosting provider, building those checks into the platform turns a reactive scramble after each KEV listing into a standing posture, where confirming the fixed build is one line item in a broader, already-instrumented response.

Open Questions

Several points are worth keeping in view as this one develops. CISA's KEV addition confirms active exploitation but, as with all KEV entries, does not by itself quantify how many sites have been reached or by whom; the scale of compromise across the Joomla estate is something defenders will only learn over time as hosting providers and researchers report what they find. The reporting that has emerged describes automated scanning and a path to a persistent web shell, consistent with opportunistic operators rather than a single targeted campaign, but attribution and total impact remain open. This piece draws on a single primary advisory plus initial reporting, so the finer operational details may be refined as more is published — a normal feature of KEV-driven disclosures in their first days.

What is confirmed is enough to act on. A maximum-severity, unauthenticated code-execution flaw in one of Joomla's most widely deployed editor extensions is on CISA's KEV catalog, a fixed build (2.9.99.5) has been available since early June, and the affected range covers everything below it. For defenders the read is straightforward: treat verification of every managed JCE install as a near-term priority, confirm each is on the fixed build, and pair the update with a check for prior compromise. The KEV listing is the signal; the verification is the work.


The CyberSignal Analysis

The reported facts above are drawn from CISA's KEV listing and initial reporting; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Third-Party Extensions Are the CMS Attack Surface That Matters

The flaw here is not in Joomla core — it is in JCE, a third-party editor extension — and that distinction is the whole story rather than a footnote. A CMS is only as defensible as the least-maintained extension bolted onto it, and popular extensions accumulate the reach that makes a single bug a fleet-level event. Our reading is that defenders who inventory only their core-CMS versions are measuring the wrong thing; the extension layer is where the exploitable, widely deployed, unauthenticated code paths tend to live.

That reframing has a practical edge. An organization that treats "we run Joomla" as its unit of risk will miss that the real question is which extensions are installed, at what versions, across every managed instance. The extension inventory — not the platform label — is the artifact that lets a team answer a KEV listing in minutes instead of days, and building it before the next maximum-severity extension bug lands is the durable investment.

Signal 02 — A KEV Listing Is a Scanning Accelerant, Not Just a Deadline

The most actionable signal in the KEV addition is timing. With working exploit code public and attacks already automated, the listing does not merely start a compliance clock — it marks the point at which opportunistic scanning of every reachable install intensifies. Our assessment is that the window between a KEV entry and broad scanning of the affected population is now effectively zero for a flaw this cheap to exploit, which changes patch verification from a scheduled task into a race.

For defenders, the interpretation is to treat the KEV date as the moment exposure peaks, not the moment remediation can begin planning. The teams that bound this class of incident are the ones that had the fixed build (2.9.99.5, available since June 3) staged before June 16, so the listing triggered verification rather than a scramble to source a patch. The signal to internalize is that KEV timing compresses the defender's schedule to match the attacker's.

Signal 03 — Shared Hosting Turns One Bug Into a Blast-Radius Problem

The reason this flaw reads as a hosting-provider event rather than a site-owner nuisance is blast radius. Unauthenticated PHP code execution on one tenant of a shared or managed platform is a foothold that may let an attacker probe account boundaries, abuse shared resources, or stage further activity — so the harm of a single unpatched JCE install does not stay contained to that install. Our reading is that the concentration of Joomla sites on managed hosting is precisely what elevates a common-extension bug to a fleet-wide priority.

The forward-looking watch item is centralization of response. A provider that pushes verification and patch confirmation across its estate centrally converts each future KEV listing into a routine line item; one that leaves discovery to individual customers inherits the blast radius of every install they miss. We would treat the durability of that central posture — not the patching of this one CVE — as the measure of whether a hosting estate is actually defensible against the next extension flaw.


Sources

TypeSource
PrimaryCISA — Known Exploited Vulnerabilities Catalog (CVE-2026-48907)
PrimaryCISA — Alert: CISA Adds One Known Exploited Vulnerability to Catalog (June 16, 2026)
ReportingThe Hacker News — CISA Warns of Actively Exploited Joomla JCE Flaw
RelatedThe CyberSignal — CISA Adds cPanel Flaw CVE-2026-41940 to KEV
RelatedThe CyberSignal — Ghost CMS CVE-2026-26980 SQL Injection