The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects Widget Factory Joomla Content Editor (JCE), a widely deployed content editing extension for Joomla websites.
The vulnerability carries a CVSS score of 10.0, the highest possible severity rating. It stems from improper access control that permits attackers to execute arbitrary PHP code on affected systems. An attacker exploiting this flaw requires no authentication, allowing remote code execution through a simple HTTP request.
Joomla powers approximately 3.5 percent of all websites globally. JCE ranks among the most popular third-party extensions for the platform, with millions of installations across shared hosting environments, corporate websites, and e-commerce platforms. Compromise of a Joomla installation running vulnerable JCE code grants attackers shell access to web servers, enabling data theft, malware deployment, and lateral movement into connected networks.
CISA's addition of CVE-2026-48907 to the KEV catalog signals that exploitation activity extends beyond proof-of-concept development. Automated attack tools likely exist. Web application firewalls and intrusion detection systems may not catch sophisticated variants.
Organizations running Joomla with JCE must prioritize patching. Website administrators should immediately update JCE to the latest patched version. For systems where immediate updates prove impossible, disabling the JCE extension temporarily prevents exploitation until patches deploy. Monitoring web server logs for suspicious PHP execution patterns helps detect compromise attempts.
Hosting providers should enable automatic security updates for popular extensions or implement mandatory upgrade notifications. Shared hosting customers should verify their hosting provider has applied patches to all customer accounts.
The vulnerability likely remains exploitable at scale for weeks or