The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday added a maximum-severity flaw in the Widget Factory Joomla Content Editor to its Known Exploited Vulnerabilities catalog, citing active exploitation of CVE-2026-48907, a bug with a CVSS score of 10.0.
KEY FACTS
- Vulnerability CVE-2026-48907 is an improper access control issue in the Joomla editor extension.
- Risk The flaw can let unauthenticated users create editor profiles and upload PHP code.
- Patch Version 2.9.99.5, released on June 3, 2026, fixes the issue.
- Deadline Federal civilian agencies must apply the fix by June 19, 2026.
CISA said the flaw could allow upload and execution of PHP code through the creation of new editor profiles for unauthenticated users. The issue affects JCE versions 1.0.0 through 2.9.99.4.
The CVE record says the flaw sits in the JCE editor extension for Joomla and can be used to create new editor profiles without authentication. Widget Factory said in its release notes that insufficient access controls allowed unauthenticated users to upload editor profiles.
There is no public information yet on how the flaw is being exploited in the wild. The advisory places the issue among vulnerabilities that agencies are required to address quickly after confirmed abuse.
WHY IT MATTERS
High-severity flaws in widely used web software can give attackers a direct path to code execution and server compromise. The disclosure also shows how government lists of known exploited bugs are used to push faster patching when evidence of active abuse emerges.