CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog on June 16 after confirming active exploitation of a critical flaw in the Joomla Content Editor plugin that allows unauthenticated attackers to upload arbitrary files and execute PHP code on vulnerable servers. Federal agencies face a remediation deadline of June 19, while automated scanning campaigns are already sweeping for unpatched installations across the approximately 2.5 million active Joomla sites worldwide.
CVE-2026-48907: Unauthenticated File Upload to PHP Execution in JCE Pro
CVE-2026-48907 is an improper access control flaw in JCE’s editor profile handling. An unauthenticated attacker who reaches the file upload endpoint can deliver and execute PHP webshells or arbitrary payloads without any valid account on the target site. Public exploit code is available and automated attack campaigns scanning for vulnerable JCE installations are confirmed active.
JCE — the Joomla Content Editor — is one of the most widely installed Joomla extensions. All JCE Pro versions before 2.9.99.5 are affected. The vendor released an initial patch on June 3 and additional hardening in version 2.9.99.6 on June 6.
Joomla’s Warning: Patching Does Not Clean an Already-Compromised Site
Alongside the disclosure, Joomla issued a critical operational warning with significant remediation implications: “Updating closes the entry point but does not clean a site that was already compromised.”
This warning creates a distinct risk category for organizations that patched after June 3 without conducting a post-compromise forensic review. Any site compromised before patching may have active webshells or backdoor accounts already installed — and those persist after the vulnerability is closed. Patching is a necessary but insufficient step for sites that were exposed during the exploitation window.
Organizations running JCE Pro on sites that received automated scanning traffic before they applied the June 3 or June 6 updates should treat the patch as the beginning of their response, not the end. Forensic review of file system changes, newly created administrative accounts, and web server logs for the exploitation window is required to confirm a site is clean rather than simply closed.
What Unauthenticated PHP Code Execution Provides to an Attacker
Arbitrary PHP code execution on a web server delivers complete server-level compromise from a single HTTP request. From that foothold, an attacker can read and modify any file accessible to the web server process, query the site’s database directly, establish persistent webshell access that survives subsequent patching, and pivot into the internal network from the compromised server.
Because Joomla frequently runs on shared hosting environments and on servers that are administratively connected to broader organizational infrastructure, a single compromised Joomla installation can serve as a persistent entry point for lateral movement — particularly if the web server process has access to credentials or network segments beyond the site itself.
Automated Scanning Compresses the Exploitation Window for Unpatched Sites
The CISA KEV listing confirms that CVE-2026-48907 is being actively exploited in the wild, not merely in proof-of-concept demonstrations. The combination of public exploit code and automated scanning campaigns means that vulnerable sites may be targeted within hours of appearing in attacker scan results — before administrators have had an opportunity to assess or apply the patch.
The June 19 federal remediation deadline under BOD 22-01 applies to federal civilian executive branch agencies, but the underlying urgency applies to any organization running a vulnerable JCE Pro installation. The June 6 patch (version 2.9.99.6) is the current fully hardened release and represents the target state for remediation.
Sites that confirmed they were already running 2.9.99.5 or 2.9.99.6 before the exploitation window opened are not exposure-free by default — the prior versions before June 3 were the vulnerable window, and organizations need to verify their update timeline against the period of active scanning to determine whether their site was reached before or after the patch was applied.
