Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)
Vulnerability
Summary
Hide ▲
Show ▼
The Widget Factory Joomla Content Editor (JCE) flaw CVE-2026-48907 has been added to CISA's KEV catalog after evidence of active exploitation, putting affected Joomla sites at risk of PHP code upload and execution. The issue is an improper access control weakness that lets unauthenticated users create editor profiles and reach arbitrary code execution. JCE 1.0.0 through 2.9.99.4 are affected, and version 2.9.99.5 contains the fix.
Related Happenings
CISA KEV remediation order for CVE-2026-48907
Public Sector Action
H score89
First: 17.06.2026 08:50
Last: 17.06.2026 08:50
Sources 1
How related:
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
About this happening:
CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...
CISA KEV remediation order for CVE-2026-48907
Public Sector ActionHow related: Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
About this happening: CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
H score49
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
17.06.2026 08:50 1 articles · 3h ago
Widget Factory ships JCE 2.9.99.5 to close editor-profile access flaw
Mitigation Patch UpdateWidget Factory released JCE version 2.9.99.5 on June 3, 2026 to fix an improper access control flaw in Widget Factory Joomla Content Editor that let unauthenticated users create editor profiles and upload or execute PHP code; JCE versions 1.0.0 through 2.9.99.4 were affected.
Show sources
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50
-
17.06.2026 08:50 2 articles · 3h ago
CISA adds CVE-2026-48907 in Widget Factory Joomla Content Editor to KEV catalog
Initial DisclosureCISA added CVE-2026-48907 in Widget Factory Joomla Content Editor to the Known Exploited Vulnerabilities catalog on June 17, 2026 after evidence of active exploitation; the maximum-severity improper access control flaw could enable arbitrary code execution through unauthenticated editor-profile creation.
Show sources
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50
- CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution — thehackernews.com — 17.06.2026 08:50