HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Unauthenticated Code Execution Flaw (CVE-2026-48907) in Joomla JCE Editor Added to CISA KEV Catalog

CISA has listed a CVSS 10.0 vulnerability (CVE‑2026‑48907) in the Joomla Content Editor (JCE) extension as a Known Exploited Vulnerability. The bug lets unauthenticated users upload and run PHP code, forcing organizations to patch by June 19 2026 and prompting private firms to reassess access‑control and patch‑management controls for SOC 2 readiness.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical Unauthenticated Code Execution Flaw (CVE‑2026‑48907) in Joomla JCE Editor Added to CISA KEV Catalog

What It Is — The Joomla Content Editor (JCE) extension contains an improper access‑control bug that lets unauthenticated users create new editor profiles, enabling arbitrary PHP file upload and execution. The flaw affects JCE versions 1.0.0‑2.9.99.4 and was patched in 2.9.99.5 (released June 3 2026).

Exploitability — CVSS 10.0 (critical). The vulnerability is actively exploited; CISA has placed it in the Known Exploited Vulnerabilities (KEV) catalog and issued a binding directive for federal agencies.

Affected Products — Widget Factory Joomla Content Editor (JCE) extension for Joomla CMS, versions 1.0.0 through 2.9.99.4.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 Access‑Control criteria (CC6.1, CC6.2) require documented, enforceable permissions for all system components; an unauthenticated profile‑creation path directly violates those controls.
  • Continuous control monitoring must capture patch‑status and configuration drift; an unpatched JCE instance creates an audit‑evidence gap.
  • Enterprise buyers now demand proof of timely remediation for KEV‑listed flaws as part of their SOC 2 vendor‑management assessments.

Recommended Actions

  • Verify JCE version across all Joomla instances; upgrade to 2.9.99.5 or later immediately.
  • Record the upgrade in your change‑management system and attach the vendor patch note as audit evidence.
  • Update your asset inventory and vulnerability‑management dashboard to flag any remaining JCE installations.
  • Conduct a focused access‑control test (e.g., unauthenticated profile creation) to confirm remediation.
  • Incorporate KEV‑catalog monitoring into your continuous compliance workflow to meet CISA BOD 22‑01 deadlines.

Source: SecurityAffairs article

📰 Original Source
https://securityaffairs.com/193775/hacking/u-s-cisa-adds-widget-factory-joomla-content-editor-jce-flaw-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →