CISA Adds Joomla JCE Flaw CVE-2026-48907 to KEV Catalog

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw, tracked as CVE-2026-48907, carries a CVSS score of 10.0 — the highest possible severity — and stems from an improper access control mechanism that allows unauthenticated attackers to execute arbitrary PHP code on vulnerable Joomla installations.

Defenders running Joomla sites with the JCE plugin should treat this as a critical priority. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply mitigations by July 7, 2026, per Binding Operational Directive (BOD) 22-01. While the directive applies only to U.S. federal agencies, the active exploitation evidence strongly suggests that all Joomla administrators should patch immediately.

Technical Analysis

The vulnerability resides in the Widget Factory Joomla Content Editor (JCE), a popular WYSIWYG editor plugin for Joomla that extends the default content editing capabilities. According to the advisory published by CISA, CVE-2026-48907 is an improper access control vulnerability that enables an attacker to bypass authentication checks and execute arbitrary PHP code on the underlying server.

The CVSS 10.0 rating indicates the flaw is trivially exploitable over the network without authentication, user interaction, or any special privileges. An exploit would likely involve sending a crafted HTTP request to the JCE component to trigger the code execution pathway. The lack of specific technical details in CISA's public advisory is consistent with its standard practice of withholding exploit mechanics until a patch is widely deployed.

Widget Factory has not yet released a public statement or a patched version of the JCE plugin as of this writing. The company's website lists JCE version 2.9.80 as the most current release, but it is unclear whether this version addresses the vulnerability or if an update is pending. CISA's KEV entry does not specify an affected version range, though the vulnerability likely affects all unpatched installations of the plugin.

The JCE plugin is widely used across Joomla-powered websites, including government portals, educational institutions, media outlets, and small-to-medium businesses. The combination of a maximum CVSS score, active exploitation, and broad deployment makes this a high-risk scenario for the web hosting and content management ecosystem.

Mitigations & Recommendations

CISA has directed FCEB agencies to remediate CVE-2026-48907 by July 7, 2026. For all other organizations, the primary mitigation is to apply a security update from Widget Factory as soon as one becomes available. In the interim, defenders should consider the following actions:

• Disable the JCE plugin on production Joomla sites if the plugin is not essential for daily operations. Joomla's built-in editor can serve as a temporary replacement.
• Monitor web server access logs for anomalous POST requests to JCE-related endpoints, particularly those containing PHP code snippets or unusual query parameters.
• Apply web application firewall (WAF) rules to block known exploitation patterns. Generic PHP code injection signatures may provide partial protection until a vendor patch is released.
• Restrict network access to the Joomla administrative interface (e.g., /administrator/) to trusted IP ranges, reducing the attack surface for unauthenticated exploitation.

Organizations using Joomla should subscribe to the Widget Factory security mailing list or monitor the Joomla Extensions Directory (JED) for patch announcements. Given the active exploitation status, this vulnerability is likely being incorporated into automated exploit kits and mass-scanning campaigns.