CRITICALVulnerability
Global

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

·Source: The Hacker News

Updated:

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary

Analysis

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary

Indicators of Compromise (1)

CVE (1)
CVE-2026-48907
NVDMITRE CVE
Source Attribution

Originally published by The Hacker News on Jun 17, 2026.

Related Threats

MEDIUMVulnerabilityNEW

Klarna embeds in Bolt mobility app

Klarna, the global digital bank and payments provider, has partnered with Bolt, the European shared mobility platform, to bring Klarna's payment options directly into the Bolt app.

Finextra
MEDIUMVulnerabilityNEW

EBAday 2026: Rebuilding the payments landscape

The three afternoon expert panels on day one of EBAday 2026 explored cross-border payments, changes in customer behaviour, and embedded finance.

Finextra
MEDIUMVulnerabilityNEW

Nopan becomes Principal Member of EPI

As Wero expands beyond peer-to-peer payments into e-commerce and evolves into a new generation European digital wallet, merchants are preparing to offer consumers richer account and wallet payment experiences.

Finextra