{
  "title": "Widget Factory Joomla Content Editor CVE-2026-48907: KEV Unauthenticated Profile Upload to PHP RCE",
  "summary": "CISA added CVE-2026-48907 to KEV on 2026-06-16. JCE 2.9.99[.]5 and 2.9.99[.]6 fix an unauthenticated editor-profile upload flaw that can lead to PHP code execution on Joomla sites.",
  "date": "2026-06-16",
  "severity": "critical",
  "tags": [
    "joomla",
    "php",
    "cisa-kev",
    "rce",
    "web-app"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "widget-factory-joomla-content-editor-cve-2026-48907-kev",
    "since": "2026-06-16T00:00:00Z",
    "until": "2026-06-16T23:59:59Z",
    "ecosystem": "",
    "cves": [
      "CVE-2026-48907"
    ],
    "cwes": [
      "CWE-284"
    ],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [
      "index.php",
      "profiles.import"
    ],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}