Critical Unauthenticated Code Execution Flaw (CVE‑2026‑48907) in Joomla JCE Editor Added to CISA KEV Catalog
What It Is — The Joomla Content Editor (JCE) extension contains an improper access‑control bug that lets unauthenticated users create new editor profiles, enabling arbitrary PHP file upload and execution. The flaw affects JCE versions 1.0.0‑2.9.99.4 and was patched in 2.9.99.5 (released June 3 2026).
Exploitability — CVSS 10.0 (critical). The vulnerability is actively exploited; CISA has placed it in the Known Exploited Vulnerabilities (KEV) catalog and issued a binding directive for federal agencies.
Affected Products — Widget Factory Joomla Content Editor (JCE) extension for Joomla CMS, versions 1.0.0 through 2.9.99.4.
Why It Matters for Compliance & Audit Readiness
- SOC 2 Access‑Control criteria (CC6.1, CC6.2) require documented, enforceable permissions for all system components; an unauthenticated profile‑creation path directly violates those controls.
- Continuous control monitoring must capture patch‑status and configuration drift; an unpatched JCE instance creates an audit‑evidence gap.
- Enterprise buyers now demand proof of timely remediation for KEV‑listed flaws as part of their SOC 2 vendor‑management assessments.
Recommended Actions
- Verify JCE version across all Joomla instances; upgrade to 2.9.99.5 or later immediately.
- Record the upgrade in your change‑management system and attach the vendor patch note as audit evidence.
- Update your asset inventory and vulnerability‑management dashboard to flag any remaining JCE installations.
- Conduct a focused access‑control test (e.g., unauthenticated profile creation) to confirm remediation.
- Incorporate KEV‑catalog monitoring into your continuous compliance workflow to meet CISA BOD 22‑01 deadlines.
Source: SecurityAffairs article