CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in Widget Factory's Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, citing active exploitation. This vulnerability, identified as CVE-2026-48907 and assigned a perfect CVSS score of 10.0, stems from improper access control. Exploitation of this flaw allows for arbitrary PHP code execution on affected systems. CISA mandates that federal civilian executive branch agencies patch this vulnerability by May 28, 2026, to mitigate risks. The JCE component is a popular editor for Joomla, a widely used content management system. The vulnerability's high severity and active exploitation underscore the immediate threat to websites utilizing this specific JCE version. Organizations using JCE are strongly advised to update to a patched version or implement mitigating controls to prevent potential compromise. The KEV catalog serves as a critical resource for identifying and prioritizing the remediation of known cyber threats.