CISA Flags Actively Exploited JCE Joomla Plugin RCE
CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog after reports of active exploitation against the Widget Factory Joomla Content Editor (JCE) plugin. The maximum-severity improper access control flaw lets unauthenticated attackers create new editor profiles and then upload and execute PHP code, resulting in remote code execution on vulnerable Joomla sites. The KEV update raised the catalog total to 1,622 entries and set a federal remediation deadline of 2026-06-19 under BOD 26-04.
Vendor and media reporting said the issue affects JCE versions 1.0.0 through 2.9.99.4, with fixes released in 2.9.99.5 and later, including JCE Pro 2.9.99.6. The JCE team also issued a free patch for older sites and warned that public exploit code is available, attacks are automated, and sites without public registration can still be targeted. Security reporting noted that applying the update blocks the initial access path but does not remove any persistence, web shells, or malware that attackers may already have deployed on compromised servers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate JCE flaw by June 19
Following KEV inclusion, CISA directed Federal Civilian Executive Branch agencies to remediate CVE-2026-48907 by June 19, 2026 under Binding Operational Directive guidance. Reporting also noted public exploit code exists and attacks are automated.
JCE recommends upgrading to version 2.9.99.6
A new reference states that administrators should upgrade Joomla Content Editor to JCE 2.9.99.6 immediately, or at minimum to 2.9.99.5, indicating a newer recommended release beyond the previously documented fix. The same guidance also suggests temporarily blocking PHP execution in the tmp/ directory while investigating compromise.
CISA adds CVE-2026-48907 to the KEV catalog
CISA added CVE-2026-48907, a Widget Factory Joomla Content Editor improper access control flaw enabling unauthenticated profile creation and PHP upload/execution, to its Known Exploited Vulnerabilities catalog. The KEV entry set a remediation due date of June 19, 2026 and indicates exploitation in the wild.
JCE publishes security update and free patch for older sites
The JCE project published a security update announcement and offered a free patch for older sites. This reflects the vendor's public response to the vulnerability.
Public GitHub PoC exploit for CVE-2026-48907 is published
A public proof-of-concept exploit for the JCE flaw CVE-2026-48907 was published on GitHub. Reporting tied the PoC to subsequent automated attacks exploiting the vulnerability in the wild.
JCE releases version 2.9.99.6 with additional hardening
JCE followed its June 3 fix for CVE-2026-48907 by releasing version 2.9.99.6 on June 6, 2026 with additional hardening measures. The report says administrators should investigate for compromise because patching alone does not remove implanted malware.
JCE releases fix for CVE-2026-48907 in version 2.9.99.5
Widget Factory fixed CVE-2026-48907, an improper access control flaw in Joomla Content Editor, in JCE version 2.9.99.5. Security Affairs states this release occurred on June 3, 2026 and that affected versions were 1.0.0 through 2.9.99.4.
JCE 2.9.99.6 identified as fix for CVE-2026-48907
A new reference states that CVE-2026-48907 affects JCE 2.9.99.5 and was fixed in version 2.9.99.6 and later. The report also shares indicators of compromise, including suspicious requests to the JCE profile import endpoint and unexpected PHP or related files in Joomla environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
CVE-2026-48907, LiteSpeed CPanel Plugin Flaws Exploited
thecyberexpress.com
Open sourceMax severity Joomla Content Editor extension flaw targeted in automated attacks | news | SC Media
scworld.com
Open sourceU.S. CISA adds Widget Factory Joomla Content Editor (JCE) flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceJoomla JCE Critical RCE Exploit Impacts Linux Web Servers CISA KEV
linuxsecurity.com
Open sourceJCE security update, and a free patch for older sites
joomlacontenteditor.net
Open source����������� ����������� ���������� � JCE, ���������� ��� CMS Joomla
opennet.ru
Open source����������� ����������� ���������� � JCE, ���������� ��� CMS Joomla
opennet.me
Open sourceThe JCE Profiles Hack: Find and Fix It | mySites.guru
mysites.guru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Public Exploits Surface for Unauthenticated File Inclusion Flaws in Joomla and WordPress Plugins
Researchers disclosed multiple file inclusion vulnerabilities affecting popular CMS extensions, including the **Tassos/Novarain Framework** for Joomla and the **Kubio AI Page Builder** plugin for WordPress. SSD Secure Disclosure reported flaws in the Joomla framework, while a GitHub proof-of-concept tied to `CVE-2026-21627` described an unauthenticated arbitrary PHP file inclusion issue in the `ajaxTaskInclude()` function of `plg_system_nrframework`, potentially allowing attackers to load unintended server-side files without logging in. Separately, several GitHub repositories published exploit material for `CVE-2025-2294`, an unauthenticated local file inclusion vulnerability affecting **Kubio AI Page Builder** versions `<= 2.5.1`. The repeated publication of public exploit code for both CMS ecosystems lowers the barrier to opportunistic attacks, particularly against internet-exposed Joomla and WordPress sites that have not patched or removed vulnerable components.
May 25, 2026
Joomla Core Flaws Expose Webservice Endpoints and Enable Arbitrary File Deletion
Joomla disclosed two high-severity core vulnerabilities affecting its platform: **CVE-2026-23898**, an input-validation flaw in the `com_joomlaupdate` autoupdate server mechanism that can lead to arbitrary file deletion, and **CVE-2026-23899**, an improper access-control issue in webservice endpoints that can permit unauthorized access. Both issues are remotely exploitable over the network with low attack complexity, according to the published CVSS v4.0 vectors. The file-deletion bug is mapped to **CWE-73** and the webservice issue to **CWE-284**. Joomla said both vulnerabilities carry high potential impact across confidentiality, integrity, and availability, while requiring high privileges, and published separate security advisories through its developer portal. The disclosures indicate risk to core Joomla deployments that rely on the affected update and webservice functionality, making patch review and access-control validation a priority for administrators.
Apr 1, 2026
CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its *Known Exploited Vulnerabilities (KEV) Catalog* to reflect **active exploitation** of a previously patched **BeyondTrust** remote code execution flaw, **CVE-2026-1731** (CVSS 9.9), which has now been tied to **ransomware activity**. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in **identity/privileged access** paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access. Separately, CISA also announced the addition of two **Roundcube Webmail** vulnerabilities to the KEV Catalog based on evidence of active exploitation: **CVE-2025-49113** (deserialization of untrusted data) and **CVE-2025-68461** (cross-site scripting). CISA reiterated that under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
Mar 21, 2026