CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary

The article reports that CISA has added CVE-2026-48907, a critical improper access control flaw in the Joomla Content Editor (JCE), to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Independent analyses state that this bug allows unauthenticated attackers to create malicious editor profiles and upload arbitrary PHP files, resulting in pre-auth remote code execution and full compromise of Joomla sites running vulnerable JCE versions prior to 2.9.99.5.[1][2][3][6] From a CyberSE.AI perspective, this highlights the broader AI/software supply chain risk: web platforms and extensions used to host or integrate AI agents and models can be silently taken over, leading to downstream data theft, model tampering, and integrity loss. Organizations should treat third‑party CMS components as part of their AI supply chain, maintain an SBOM for sites that embed AI services, enforce rapid patching of critical RCEs, and include such components in AI Security Readiness Assessments to ensure that compromised web tiers cannot be leveraged to attack AI backends.