CISA has added CVE‑2026‑48907 to its Known Exploited Vulnerabilities catalogue (catalog entry) after confirming active exploitation in the wild. The flaw resides in Widget Factory’s Joomla Content Editor and permits unauthenticated attackers to execute arbitrary PHP code on vulnerable servers. A security patch is already available from the vendor.
Tracked as CVE‑2026‑48907, the vulnerability carries a CVSS v3.1 base score of 10.0, rating it Critical. It stems from an improper access control check in the editor’s profile creation routine, allowing anyone to craft a privileged editor profile without logging in. Once the profile exists, the attacker can upload a malicious PHP file and trigger remote code execution.
No authentication is required for the initial step, and the subsequent file upload leverages the editor’s normal asset handling functionality. Successful exploitation gives the attacker full control of the underlying web server, enabling data theft, further malware deployment or persistence mechanisms. Widget Factory has released a JCE security update that addresses the flaw.
CISA’s decision to list the flaw underlines that it is being exploited in the wild, although no specific threat actor has been publicly linked to the activity. The addition follows a recent uptick in attacks targeting popular Joomla extensions, highlighting the risk posed by third‑party components. Organizations using the affected editor should assume compromise unless they verify patch status.
Defenders should apply the JCE security update immediately; if immediate patching is not feasible, the component can be disabled or access restricted via web‑server rules to block unauthenticated requests to the editor’s profile endpoint. Administrators ought to review access logs for unexpected profile creations and suspicious file uploads, and consider deploying a web application firewall to filter malicious traffic.
Beyond this specific issue, maintaining an up‑to‑date inventory of all Joomla plugins and applying updates as soon as they are released remains a core hygiene practice. Subscribing to CISA’s KEV feed and vulnerability advisories helps prioritize remediation efforts. Regular backups and tested incident‑response plans ensure that any breach can be contained and recovered from swiftly.
Security teams should also hunt for Indicators of Compromise such as unexpected new user groups in the Joomla database, unfamiliar PHP files in the images or tmp directories, and outbound connections from the web host to unknown IP addresses. Enabling detailed audit logging for the administrator interface and correlating those events with authentication failures can help spot early abuse. Finally, consider isolating the web server behind a reverse proxy that enforces strict input validation and limits HTTP methods to those strictly required by the site.