CVE-2026-48907: CISA — active exploitation of JCE in Joomla. Update to 2.9.99.5 immediately

Colleagues, a cybersecurity alert: CISA added the JCE vulnerability (CVE-2026-48907) to KEV.
What happened:
- CVSS 10.0 allows unauthenticated actors to create editor profiles, upload and execute PHP.
- Affects JCE 1.0.0–2.9.99.4; fixed in 2.9.99.5 (2026-06-03). Federal agencies must patch by 2026-06-19.
Related campaigns:
- Attacks on WordPress plugins (OptinMonster, TrustPulse, PushEngage) inject JS, install backdoors and web shells, and gain full filesystem access.
Why it matters: remote PHP execution leads to server compromise and loss of availability and integrity.
What steps have you taken to protect systems?
#cybersecurity #Joomla #WordPress #vulnerabilities


Latest comments
No comments yet.