THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the Widget Factory Joomla Content Editor (JCE), identified as CVE-2026-48907 with a CVSS score of 10.0, to its Known Exploited Vulnerabilities catalog. This vulnerability allows unauthenticated users to create new editor profiles, leading to PHP code uploads and execution. It affects JCE versions 1.0.0 through 2.9.99.4 and was patched in version 2.9.99.5 released on June 3, 2026.
Federal agencies must address this vulnerability by June 19, 2026, to protect their networks, and private organizations are also advised to review and mitigate this threat.