{"cve":{"cve_id":"CVE-2026-48907","is_kev":true,"kev_date_added":"2026-06-16","kev_vendor_project":"Widget Factory","kev_product":"Joomla Content Editor ","kev_vulnerability_name":"Widget Factory Joomla Content Editor Improper Access Control Vulnerability","kev_short_description":"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users. ","kev_required_action":"Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.","kev_due_date":"2026-06-19","kev_known_ransomware":false,"kev_notes":"https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites ; https://www.joomlacontenteditor.net/support/changelog/editor ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-48907","kev_cwes":["CWE-284"],"epss_score":0.80425,"epss_percentile":0.99569,"epss_as_of":"2026-06-23","description":"A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.","published_at":"2026-06-05T07:31:30.257000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":10.0,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red","cvss_v4_severity":"CRITICAL","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-284"],"nvd_references":["https://www.joomlacontenteditor.net/"],"vuln_status":null,"trending_score":0.6324780190663069,"is_trending":true,"has_trended":true,"trended_number_one":false,"trending_peak_score":0.6324780190663069,"trending_peak_rank":5,"started_trending_at":"2026-06-29T02:30:27.366045Z","trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-29T02:30:27.550645Z"},"effective_severity":"CRITICAL","badges":["kev","poc","news","trending","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"H","value_label":"High"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"H","value_label":"High"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"H","value_label":"High"},{"metric":"SA","name":"Availability (Subsequent System)","value":"H","value_label":"High"},{"metric":"E","name":"E","value":"A","value_label":"Adjacent"},{"metric":"AU","name":"AU","value":"Y","value_label":"Y"},{"metric":"U","name":"U","value":"Red","value_label":"Red"}]},"affected":[{"vendor_slug":"joomlacontenteditor.net","vendor_name":"joomlacontenteditor.net","product_slug":"joomla-content-editor-jce-extension-for-joomla","product_name":"Joomla Content Editor (JCE) extension for Joomla","version_start":"1.0.0-2.9.99.4","version_start_inclusive":true,"version_end":"1.0.0-2.9.99.4","version_end_inclusive":true,"cpe23_uri":"cve5:joomlacontenteditor.net:joomla-content-editor-jce-extension-for-joomla:1.0.0-2.9.99.4:1.0.0-2.9.99.4"}],"exploit_refs":[{"source":"nuclei","kind":"nuclei","url":"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-48907.yaml","title":"Joomla! JCE extension < 2.9.99.5 unauthenticated RCE","author":"ywh-jfellus","disclosed_at":null}],"news":[{"id":58,"source":"The Hacker News","url":"https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html","title":"CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution","summary":"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.\n\nThe vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary","thumbnail_url":"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisS71RYEu_1Sts3eqAt878RoohdLgeUzyTbRQgFqUYQcwBxzKB1ug6AvOBRXqZvWcChuLVj6KFbIt7nO9RX66ZJZyMEIADvIXe-fdNDrQIYXGtcMt3StDzbK4lF9ZLpF9pqCR1cGEa4lLkFFRVqIyD5w0JqwhVgr-C9ga7pZ6IQWpFmbsojcsGePBnzsGW/s1600/joomla.jpg","author":"info@thehackernews.com (The Hacker News)","published_at":"2026-06-17T05:50:46Z","fetched_at":"2026-06-24T00:09:35.157664Z","trending_score":0.10741907249040121,"cve_ids":["CVE-2026-48907"]}],"references":[{"url":"https://www.joomlacontenteditor.net/","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-05T07:31:30.257000Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2026-06-16T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"first_article","at":"2026-06-17T05:50:46Z","label":"First news coverage","source":"The Hacker News"},{"type":"poc_available","at":"2026-06-24T00:29:48.638073Z","label":"Public PoC available","source":"nuclei"},{"type":"cvss_changed","at":"2026-06-28T17:55:03.830140Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:03.830140Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:03.830140Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"started_trending","at":"2026-06-29T02:30:27.366045Z","label":"Started trending","source":null}]}