What happened
CISA added CVE-2026-48907 (CVSS 10.0) to its Known Exploited Vulnerabilities catalog on June 16, 2026, citing confirmed active exploitation. The flaw is an improper access control vulnerability in the JCE editor extension for Joomla that allows unauthenticated users to create editor profiles and abuse the profile import feature to upload and execute PHP code, yielding unauthenticated RCE on the web server.
Why it matters
While JCE is a general CMS component rather than AI-specific infrastructure, it is included per KEV coverage rules (CISA KEV addition is a Tier A operational signal). Joomla sites increasingly host AI chatbot plugins, AI content generation tools, and AI-powered search integrations; a web shell on a Joomla host can compromise AI API keys and credentials stored in the CMS configuration.
Attack vector
Unauthenticated attacker creates a new editor profile via the JCE profile creation endpoint (no login required due to improper access control), then abuses the profile import feature to upload and execute arbitrary PHP code on the server — yielding full web shell access.
Affected systems
Widget Factory Joomla Content Editor (JCE) — the most widely installed editor extension for Joomla CMS
Mitigation
Apply the JCE security patch immediately per vendor advisory. CISA federal due date: June 19, 2026. See: https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites