Vulnerability intelligence

CVE-2026-48907

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

CVSS Score

Critical

EPSS — Exploit Probability

0.8%

Riskier than 53% of all CVEs

Exploitation

Confirmed in the wild

KEV since 2026-06-16

Remediation

Patch available

Federal deadline 2026-06-19

NVD entry Vendor patch PoC / advisory CISA KEV

2 articles across 2 outlets · first covered Jun 16, 2026 · latest Jun 16, 2026

Tracked incidents

vulnerability open 2 articles

CISA adds Widget Factory Joomla Content Editor flaw (CVE-2026-48907) to KEV

Coverage timeline

CISA Adds CVE-2026-48907 Joomla Editor Flaw to Known Exploited List
www.cisa.gov · Jun 16, 2026
CISA adds critical Joomla editor flaw CVE-2026-48907 to KEV
cisa.gov · Jun 16, 2026