CISA Adds CVE-2026-48907 to KEV Catalog for Joomla JCE

CISA lists CVE-2026-48907 in its KEV catalog as a maximum-severity flaw in Joomla JCE versions 1.0.0 to 2.9.99.4. The flaw allows unauthenticated users to upload and execute PHP code via new editor profiles. A patch was released in JCE 2.9.99.5 on June 3, 2026. FCEB agencies must apply the fix by June 19, 2026.