## Overview
CISA added CVE-2026-48907 to the KEV catalog today. Federal agencies have 14 days to remediate. The vulnerability affects Joomla's JCE editor extension from Widget Factory. CISA cited active exploitation as the reason for KEV inclusion.
## Technical Details
The flaw allows unauthenticated users to create new editor profiles. This bypasses access controls. Attackers then upload and execute arbitrary PHP code. The vulnerability exists in the profile creation endpoint. No user interaction is required for initial exploitation.
## Impact
CVSS score of 10.0 reflects full remote code execution. Attackers gain complete system control. The vulnerability is actively exploited in the wild. Federal systems face immediate risk per CISA's KEV mandate.
## Mitigation
Apply Widget Factory's patch immediately. Remove the JCE extension if patching is not feasible. Block access to the profile creation endpoint via web application firewall rules. Monitor for exploitation attempts targeting the /administrator/index.php?option=com_jce&task=profile.create endpoint. Ensure all Joomla installations are updated to the latest version. Do not delay patching beyond the 14-day federal deadline.
CSURFACE Threat Sensor