U.S. CISA adds Widget Factory Joomla Content Editor flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Widget Factory Joomla Content Editor (JCE) flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Widget Factory Joomla Content Editor (JCE) flaw, tracked as CVE-2026-48907 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.

“A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.” reads the advisory.

The vulnerability allows attackers to create new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

“Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.” states CISA.

The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026. At this time, details of ongoing attacks have not been disclosed.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by the end of this week, on June 19, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)