CISA has ordered federal agencies to urgently patch CVE-2026-48907, a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild. Attackers can use the issue to upload and execute PHP code on vulnerable Joomla sites, and JCE Pro 2.9.99.6 or later is required to fix it. #CVE-2026-48907 #WidgetFactoryJoomlaContentEditor #JCEPro29996
Keypoints
- CISA added CVE-2026-48907 to its actively exploited vulnerabilities list.
- The JCE plugin flaw allows unauthenticated PHP code upload and execution.
- JCE Pro 2.9.99.6 was released to fix the vulnerability.
- CISA ordered FCEB agencies to patch by Friday under BOD 26-04.
- Compromised sites must be cleaned, not just updated, to remove attacker access.