Widget Factory Joomla Content Editor CVE-2026-48907: KEV Unauthenticated Profile Upload to PHP RCE
CISA added CVE-2026-48907 to KEV on 2026-06-16. JCE 2.9.99[.]5 and 2.9.99[.]6 fix an unauthenticated editor-profile upload flaw that can lead to PHP code execution on Joomla sites.