CISA adds JCE Joomla CVE-2026-48907 to KEV — pre-auth RCE, CVSS 10
CISA added CVE-2026-48907 to KEV on June 16 — an unauth profile-import chain in the JCE Joomla extension that lets attackers upload and execute PHP. Patch in JCE 2.9.99.5.
CISA added CVE-2026-48907 to KEV on June 16 — an unauth profile-import chain in the JCE Joomla extension that lets attackers upload and execute PHP. Patch in JCE 2.9.99.5.