Is CVE-2026-48907 in the CISA Known Exploited Vulnerabilities catalog?

Yes — CVE-2026-48907 is listed in CISA KEV, remediation due 2026-06-19.

CISA Known Exploited Vulnerability

CVE-2026-48907

Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticate

⚠ Actively exploited (CISA KEV) Joomla 2026

CISA catalog entry

Product

Joomla Content Editor

Vendor

Widget Factory

Added to KEV

2026-06-16

Remediation due

2026-06-19

What WebPulse reported · 2 analyses

Joomla JCE Scores a Perfect 10: CISA KEV, PHP Web Shells, Zero Authentication Required

CVE-2026-48907 is a CVSS 10.0 flaw in the Joomla Content Editor plugin. Attackers upload PHP web shells through unauthenticated profile imports. CISA orders fed

June 18, 2026

CISA Lost One-Third of Its Staff. The Agency That Tracks Exploited Vulnerabilities Is Being Hollowed Out.

The Stakeholder Engagement Division lost 96 of 189 staff since January 2025. CISA partnerships face 'standstill.' The government's central cybersecurity coordin

June 18, 2026

View CVE-2026-48907 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-9082 CVE-2026-3844 CVE-2023-23752 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273 CVE-2026-11645 CVE-2026-8181