CVE-2026-48907: Unauthenticated RCE in Widget Factory's JCE Editor for Joomla

"A critical improper access control flaw in the Widget Factory Joomla Content Editor (JCE) lets unauthenticated attackers create editor profiles and upload and execute arbitrary PHP code, and CISA confirms it is being…"

A critical improper access control flaw in the Widget Factory Joomla Content Editor (JCE) lets unauthenticated attackers create editor profiles and upload and execute arbitrary PHP code, and CISA confirms it is being actively exploited.

What Is It

CVE-2026-48907 is an improper access control vulnerability (CWE-284) in the JCE editor extension for Joomla, developed by Widget Factory. According to the vendor and NVD, the flaw allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. It carries a CVSS 4.0 base score of 10.0 (CRITICAL), with network attack vector, low attack complexity, no privileges or user interaction required, and high impact to confidentiality, integrity, and availability. The CVSS metrics also flag the vulnerability as automatable with an exploit maturity of "ATTACKED" and a provider urgency of RED.

Why It Matters

This is a remote, unauthenticated path to full code execution on the underlying web server. Because no authentication or user interaction is required and the attack is automatable, exposed Joomla sites running JCE are at high risk of compromise. CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-06-16, confirming active exploitation in the wild. Known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

The affected product is Widget Factory's Joomla Content Editor (JCE), the editor extension for the Joomla content management system. The supplied NVD record does not enumerate specific affected version ranges (no CPEs were listed).

Patch Status

The vendor has published a security update and a free patch for older sites. CISA's required action is to apply mitigations per vendor instructions in line with BOD 26-04 guidance, following cloud-service guidance or discontinuing use of the product if mitigations are unavailable. The KEV due date for remediation is 2026-06-19.

Sources

CISA KEV Catalog Entry; CVE-2026-48907
NVD, CVE-2026-48907: https://nvd.nist.gov/vuln/detail/CVE-2026-48907
JCE Security Update and Free Patch for Older Sites: https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites
JCE Editor Changelog: https://www.joomlacontenteditor.net/support/changelog/editor
CISA BOD 26-04; Prioritizing Security Updates Based on Risk: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk