A critical vulnerability (CVE-2026-48907, CVSS 10.0) in the Joomla Content Editor (JCE) plugin allows attackers to bypass access controls and execute arbitrary PHP code on affected servers. CISA has added it to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. Any internet-facing Joomla site running the JCE plugin is at serious risk of full server compromise.

Security Architect’s Take: Immediately audit your estate and cloud-hosted workloads for any Joomla installations running the JCE plugin and apply the vendor patch as an emergency change. If patching cannot be done promptly, take affected instances offline or block public access to the Joomla admin and editor endpoints via WAF or security group rules.

Original advisory: CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution