CISA Warns of Exploited Joomla JCE RCE Flaw

CISA added a critical Joomla JCE vulnerability to its KEV list after attackers began exploiting the flaw to execute PHP code.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the Joomla Content Editor (JCE) extension to its Known Exploited Vulnerabilities (KEV) catalog after confirming the flaw is being actively exploited in the wild.

The vulnerability, tracked as CVE-2026-48907, carries a CVSS score of 10.0 and affects the popular JCE extension developed by Widget Factory for Joomla websites. Security officials say the flaw stems from improper access controls that can allow unauthenticated attackers to upload and execute malicious PHP code on vulnerable servers.

According to CISA, attackers can exploit the vulnerability by creating unauthorized editor profiles, giving them a pathway to upload files and execute arbitrary code without valid credentials. The flaw impacts JCE versions up to 2.9.99.4 and was addressed in version 2.9.99.5, released on June 3.

Joomla developers have warned that exploitation attempts are already automated and that publicly available exploit code is fueling attacks against exposed websites. Researchers say threat actors are using the vulnerability to deploy web shells, providing persistent remote access to compromised servers.

The Joomla project has stressed that installing the security update only blocks further exploitation. Websites compromised before patching may still contain backdoors, malicious files, or unauthorized user profiles left behind by attackers.

Administrators are being urged to upgrade to the latest JCE release immediately and review systems for signs of compromise. Recommended checks include auditing web server logs, inspecting editor profiles for unauthorized additions, and scanning servers for web shells or other malicious implants.

Following the KEV designation, federal civilian agencies have been ordered to remediate the vulnerability by June 19 under CISA’s Binding Operational Directive requirements. Security experts are also advising private-sector organizations running Joomla sites to prioritize patching due to the ease of exploitation and the availability of working attack code.

The warning comes amid a broader rise in attacks targeting content management systems and website plugins, which continue to offer attackers a relatively simple route to compromise internet-facing servers.

Related articles :

• Coruna iOS Exploit Kit Reuses Triangulation Zero-Days

• Interview with Pentester Cyberjagu

• Critical GitHub Enterprise Flaw Exposes Servers

__Reports are sourced from official documents, law-enforcement updates, and credible investigations.

Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__