CISA KEV remediation order for CVE-2026-48907
Public Sector Action
Summary
Hide ▲
Show ▼
CISA added CVE-2026-48907 to the KEV catalog and ordered FCEB agencies to apply fixes by June 19, 2026, forcing federal remediation of an actively exploited Joomla flaw. The directive centers on Widget Factory Joomla Content Editor (JCE) and a maximum-severity access-control issue that can enable PHP code upload and execution. The action increases urgency for federal operators because the vulnerability is already treated as a known exploited weakness with a short compliance window.
Related Happenings
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch Release
H score46
First: 17.06.2026 13:09
Last: 17.06.2026 13:09
Sources 1
How related:
"The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible."
About this happening:
**JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch ReleaseHow related: "The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible."
About this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)
Vulnerability
H score89
First: 17.06.2026 08:50
Last: 17.06.2026 08:50
Sources 1
How related:
Tracked as CVE-2026-48907, this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.
About this happening:
The **Widget Factory Joomla Content Editor (JCE)** flaw **CVE-2026-48907** has been added to **CISA's KEV catalog** after evidence of **active exploitation**, putting affected Joo...
Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)
VulnerabilityHow related: Tracked as CVE-2026-48907, this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.
About this happening: The **Widget Factory Joomla Content Editor (JCE)** flaw **CVE-2026-48907** has been added to **CISA's KEV catalog** after evidence of **active exploitation**, putting affected Joo...
CISA KEV order for FCEB agencies on LiteSpeed cPanel flaw
Public Sector Action
H score36
First: 16.06.2026 13:47
Last: 16.06.2026 13:47
Sources 1
About this happening:
**CISA** added the **LiteSpeed cPanel user-end plugin** flaw to **KEV** and ordered **Federal Civilian Executive Branch agencies** to secure systems within **three days** under **...
CISA KEV order for FCEB agencies on LiteSpeed cPanel flaw
Public Sector ActionAbout this happening: **CISA** added the **LiteSpeed cPanel user-end plugin** flaw to **KEV** and ordered **Federal Civilian Executive Branch agencies** to secure systems within **three days** under **...
CISA BOD 26-04 prioritizes vulnerability remediation for federal civilian agencies
Public Sector Action
H score27
First: 10.06.2026 15:00
Last: 10.06.2026 15:00
Sources 1
About this happening:
**CISA** issued **Binding Operational Directive 26-04** to require **federal civilian agencies** to prioritize vulnerability remediation using **Asset Exposure**, **KEV Status**,...
CISA BOD 26-04 prioritizes vulnerability remediation for federal civilian agencies
Public Sector ActionAbout this happening: **CISA** issued **Binding Operational Directive 26-04** to require **federal civilian agencies** to prioritize vulnerability remediation using **Asset Exposure**, **KEV Status**,...
CISA orders FCEB patching for CVE-2026-9082
Public Sector Action
H score70
First: 26.05.2026 11:46
Last: 26.05.2026 11:46
Sources 1
About this happening:
**CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
CISA orders FCEB patching for CVE-2026-9082
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
Timeline
-
17.06.2026 08:50 1 articles · 2d ago
Widget Factory releases JCE 2.9.99.5 to fix unauthenticated editor-profile uploads
Mitigation Patch UpdateWidget Factory released JCE version 2.9.99.5 on June 3, 2026 to fix insufficient access controls that let unauthenticated users upload editor profiles and could enable PHP code upload and execution in Widget Factory Joomla Content Editor (JCE).
Show sources
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50
-
17.06.2026 08:50 3 articles · 2d ago
CISA adds CVE-2026-48907 to KEV and orders FCEB remediation by June 19, 2026
Legal Policy Action UpdateCISA added CVE-2026-48907 affecting Widget Factory Joomla Content Editor (JCE) to the Known Exploited Vulnerabilities (KEV) catalog after citing active exploitation, and Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes by June 19, 2026. The action addresses a maximum-severity improper access control flaw that can enable PHP code upload and execution through unauthenticated editor-profile creation.
Show sources
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50
- CISA orders feds to patch max severity Joomla plugin flaw by Friday — www.bleepingcomputer.com — 17.06.2026 13:09