CISA flags critical Joomla editor flaw actively exploited in the wild

A critical vulnerability in the popular Joomla Content Editor (JCE) extension is now officially on the radar of U.S. cybersecurity authorities. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw—tracked as CVE-2026-48907 with a perfect CVSS score of 10.0—to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild.

A flaw that bypasses authentication to upload malicious code

The issue lies in improper access control within the JCE editor extension. Attackers can create new editor profiles for unauthenticated users, enabling the upload and execution of PHP code on affected Joomla sites. This high-severity vector bypasses normal authentication checks, making it a prime target for remote compromise. According to CISA’s advisory, versions 1.0.0 through 2.9.99.4 of JCE are impacted, with a patch issued in version 2.9.99.5 on June 3, 2026.

Urgent patching required under federal directive

CISA’s Binding Operational Directive (BOD) 22-01 mandates that federal civilian executive branch (FCEB) agencies remediate vulnerabilities in the KEV catalog within set deadlines. Agencies must address CVE-2026-48907 by June 19, 2026. While private organizations are not legally bound by BOD 22-01, CISA strongly recommends reviewing the catalog and applying fixes promptly to mitigate risk. At this time, no public details about ongoing attacks have been released, but the inclusion in the KEV catalog suggests exploitation is already occurring or imminent.

---

Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.