CISA added CVE-2026-48907 to the Known Exploited Vulnerabilities (KEV) catalog on June 16, 2026, confirming active exploitation of a flaw in the Joomla Content Editor (JCE) that allows unauthenticated remote code execution. The June 19, 2026 deadline applies to Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 26-04: patching alone is not enough; agencies must verify whether the system was already compromised.
- CVE-2026-48907 carries a CVSS v4.0 score of 10.0: network attack vector, no privileges required, total impact on confidentiality, integrity, and availability per the official CVE.org record.
- The vulnerability resides in the Widget Factory JCE component, not in Joomla core: improper access control allows unauthenticated users to create editor profiles and upload arbitrary PHP code.
- Affected versions range from 1.0.0 to 2.9.99.4; patch 2.9.99.5 was released on June 3, 2026, with additional hardening in 2.9.99.6.
- CISA requires U.S. federal agencies to perform post-exploitation verification in addition to applying the patch, shifting the operational burden from a simple update to a forensic investigation.
The Mechanism: Three Weaknesses That Bypass Joomla Controls
YesWeHack research reconstructed the technical chain with precision. The vulnerable endpoint is /index.php?option=com_jce&task=profiles.import, reachable via a simple POST request. The first missing link is authorization: the profiles.import function calls neither Factory::getUser() nor the $user->authorise(...) check. As the research notes, "the only gate was a CSRF token check," trivially obtainable from the site's homepage.
The second flaw concerns uploaded file validation. Joomla uses File::makeSafe to sanitize filenames, but this function does not filter the .php extension. The third element is the call to File::upload($source, $destination, false, true): the final parameter $allow_unsafe=true, as documented by YesWeHack, "explicitly disabled Joomla's built-in extension safety net."
The uploaded file is written to the tmp/ directory with its extension preserved. In default Joomla configurations, this directory is publicly accessible with PHP execution enabled. The combination of these three flaws transforms an exposed administrative feature into a pre-authentication remote code execution vector.
The Patch: What Changes in 2.9.99.5 and 2.9.99.6
Version 2.9.99.5, released June 3, 2026, introduces four substantial changes to the import flow. An authorise('core.manage', 'com_jce') check is added, requiring administrative privileges. The extension is restricted to a whitelist of .xml. The $allow_unsafe=true parameter is removed, restoring Joomla's native safety control. A 512 KB upload size limit is imposed to contain payloads.
Version 2.9.99.6 adds further hardening: XXE protection in XML parsing and a filter on permitted XML keys. This layered defense responds to the chained nature of the vulnerability, where no single fix would suffice.
"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users" — CISA KEV Catalog
BOD 26-04: CISA's Forensic Turn
Binding Operational Directive 26-04, cited in the CISA alert of June 16, establishes two binding requirements for FCEB agencies. The first is the rapid remediation deadline: the patch must be applied by June 19, 2026. The second, less routine, is the obligation to meet "basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied."
This requirement marks an evolution in CISA's operational model. No longer just patch management, but a mandatory pre-remediation compromise assessment. For federal agencies, this means activating forensic procedures on systems hosting JCE before considering the incident closed. The operational impact is significant: remediation shifts from a software update to a security investigation.
What to Do Now
Organizations with Joomla infrastructure must identify all installations of the Widget Factory JCE component and verify the version. Instances from 1.0.0 to 2.9.99.4 are vulnerable and require priority update to 2.9.99.5 or later.
U.S. federal agencies must complete patch application by June 19, 2026, to maintain BOD 26-04 compliance. Post-exploitation verification is a binding requirement, not optional.
For all other organizations, inclusion in the KEV catalog with a CVSS 10.0 score and confirmed active exploitation elevates priority from "plannable" to "immediate." An EPSS score below 1% on OpenCVE does not mitigate the risk: the KEV catalog indicates documented exploitation, making the likelihood of attack a certainty for exposed assets.
Version 2.9.99.6 is preferable to 2.9.99.5 where feasible, given the additional hardening countermeasures that reduce the residual attack surface.
The "Forgotten Component" Problem
JCE is described by YesWeHack as the most popular editor for Joomla and one of the most installed extensions. Its ubiquity is part of the problem. Third-party components in CMS platforms like Joomla or WordPress often operate outside centralized patching processes: the sysadmin updates the core, but plugins lag behind. The lack of IT visibility into these elements — the "forgotten endpoint" — creates a class of systematically underestimated vulnerabilities.
The pre-authentication nature of the flaw eliminates any access barrier. No stolen credentials, no phishing, no prior compromise required. An internet-exposed instance is directly reachable. The maximum CVSS severity reflects this combination of accessibility and total impact.
No infrastructure overlaps link active operators to specific threat actors at this time. CISA classifies the exploitation context as "Unknown" regarding ransomware campaigns or other modalities. The geographic scale, affected sectors, and exact number of compromised installations are not documented in available sources.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html
- https://windowsforum.com/threads/cve-2026-48907-kev-joomla-jce-improper-access-control-exploited-patch-now.427091/
- https://www.yeswehack.com/news/rce-joomla-content-editor-extension
- https://app.opencve.io/cve/CVE-2026-48907
- https://www.cve.org/CVERecord?id=CVE-2026-48907
- https://nvd.nist.gov/vuln/detail/CVE-2026-48907
- https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog