CISA has added CVE‑2026‑48907 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Widget Factory’s Joomla Content Editor. The Widget Factory Joomla Content Editor Improper Access Control Vulnerability allows unauthenticated users to create new editor profiles that can be used to upload and execute arbitrary PHP code.
The vulnerability is an improper access control issue in the Joomla Content Editor component. No authentication is required; an attacker can create a privileged editor profile and then upload a malicious PHP file, achieving remote code execution on the affected server. The flaw has been assigned a CVSS v3.1 base score of 10.0, rated Critical. A security patch is available from the vendor via the JCE security update.
CISA’s inclusion of this CVE in the KEV catalogue confirms that the vulnerability is being actively exploited in the wild. No public reports link this flaw to ransomware campaigns at present. Federal civilian executive branch (FCEB) agencies must apply the required mitigations by the remediation due date of 19 June 2026.
CISA directs FCEB agencies to apply mitigations in accordance with vendor instructions, ensuring compliance with BOD 26‑04 Prioritizing Security Updates Based on Risk and the Forensics Triage Requirements. Agencies must follow the BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable, and they are responsible for evaluating each asset’s internet exposure and adhering to BOD 26‑04 patching guidelines. All other organisations are advised to review their exposure to Widget Factory’s Joomla Content Editor and apply the available patch promptly.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48907 and the CISA KEV catalogue.