A critical vulnerability (CVE-2026-48907, CVSS 10.0) in the Joomla Content Editor (JCE) plugin allows attackers to bypass access controls and execute arbitrary PHP code on affected servers. CISA has added it to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. Any internet-facing Joomla site running the JCE plugin is at serious risk of full server compromise.

Security Architect’s Take: Immediately audit your estate and cloud-hosted workloads for any Joomla installations running the JCE plugin and apply the vendor patch as an emergency change. If patching cannot be done promptly, take affected instances offline or block public access to the Joomla admin and editor endpoints via WAF or security group rules.

Original advisory: CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

A critical vulnerability in the Widget Factory Joomla Content Editor plugin allows unauthenticated attackers to upload and execute arbitrary PHP code by creating new editor profiles. This effectively grants full remote code execution on affected Joomla sites without requiring any login credentials. It has been added to the CISA Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild.

Security Architect’s Take: Audit all Joomla deployments across your environment and patch or disable the Widget Factory Content Editor plugin immediately. If Joomla sites are hosted on cloud infrastructure, treat any exposed instance as potentially compromised and review web application firewall rules to block unauthenticated POST requests to editor profile creation endpoints whilst patching is carried out.

Original advisory: CVE-2026-48907: Widget Factory Joomla Content Editor