CISA orders feds to patch Joomla plugin flaw by Friday

CISA ordered federal agencies to patch CVE-2026-48907, a maximum-severity flaw in the Widget Factory Joomla Content Editor plugin, by Friday. The vulnerability allows unauthenticated code execution and is actively exploited with public exploit code. JCE Pro 2.9.99.6 fixes the issue.