CISA Orders Patch for CVSS 10 Joomla JCE Flaw by June 19

CISA has added a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities catalog, giving federal agencies until June 19, 2026 to apply patches. Tracked as CVE-2026-48907, the flaw carries a perfect CVSS score of 10.0 and enables unauthenticated attackers to upload and execute arbitrary PHP code.

How the Exploit Works

The vulnerability stems from insufficient access controls in JCE's profile import functionality. Attackers can create new editor profiles without authentication by sending crafted requests to /index.php?option=com_jce&task=profiles.import. Once a rogue profile is established, it can be weaponized to upload PHP web shells, granting persistent backdoor access to the compromised server.

Security researcher Phil E. Taylor of mySites.guru confirmed that attackers are actively exploiting this flaw in automated attacks. The exploit chain is straightforward:

1. Send unauthenticated request to import a malicious editor profile
2. Use the imported profile to upload a PHP web shell
3. Execute arbitrary commands with web server privileges

Affected Versions

JCE versions 1.0.0 through 2.9.99.4 are vulnerable. Widget Factory released version 2.9.99.5 on June 3, 2026 to address the flaw, acknowledging that "insufficient access controls permitted unauthenticated users to upload editor profiles."

The JCE extension is one of the most popular editors for Joomla, used across thousands of websites. Its presence on e-commerce sites, government portals, and corporate intranets makes this vulnerability particularly attractive to attackers seeking initial access.

Detection and Remediation

Joomla administrators should immediately check for these indicators of compromise:

Network indicators:

• Unauthenticated HTTP requests to index.php?option=com_jce&task=profiles.import
• Unusual file uploads to JCE media directories

Server indicators:

• Unexpected PHP files in web-accessible directories
• New or modified JCE editor profiles you did not create
• Web server processes spawning suspicious child processes

Critically, Widget Factory warns that "updating closes the entry point but does not clean a site that was already compromised." Simply patching does not remediate existing web shells. Administrators must:

1. Update JCE to version 2.9.99.5 or later immediately
2. Audit editor profiles and remove any you did not create
3. Search for web shells in media directories and web root
4. Review server access logs for exploitation attempts
5. Consider a full security audit if any compromise indicators are found

The CISA KEV Context

This marks another CISA KEV addition in a busy week for the catalog. The Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV vulnerabilities within specified timeframes—in this case, just three days from the June 16 addition.

For private sector organizations, KEV inclusion signals active exploitation and should trigger immediate patching priority. The vulnerability's CVSS 10.0 rating and trivial exploitation complexity mean mass scanning and automated attacks are certain.

Web application vulnerabilities like this one represent a significant portion of initial access vectors. CMS platforms have been heavily targeted in 2026—we've seen Ghost CMS sites compromised in ClickFix campaigns and WordPress installations weaponized for malware delivery. Organizations running any CMS should ensure they have visibility into installed extensions and maintain aggressive patching schedules.

Why This Matters

CMS vulnerabilities with unauthenticated code execution remain some of the most dangerous flaws in the vulnerability landscape. They require no credentials, no user interaction, and can be exploited at scale with simple HTTP requests.

Joomla installations are often forgotten infrastructure—marketing sites, legacy portals, and departmental pages that receive minimal security attention. Attackers know this and specifically target CMS extensions for exactly these scenarios. The JCE editor's popularity makes it a high-value target: one working exploit, thousands of potential victims.

If your organization runs Joomla in any capacity, verify JCE extension status today. The three-day CISA deadline should indicate the urgency required.