A critical vulnerability in Widget Factory’s Joomla Content Editor permits unauthenticated users to upload and execute PHP code by creating new editor profiles. CISA has added this to its Known Exploited Vulnerabilities catalog and recommends patching according to BOD 26-04 guidance by June 19, 2026. Organizations unable to apply mitigations should discontinue use of the affected product.

Why it matters in Western Canada: Joomla is widely deployed by universities, municipal governments, healthcare institutions, and credit unions across Western Canada for content management. Exploitation of this vulnerability could lead to complete website compromise and lateral movement into organizational networks.

CVEs: CVE-2026-48907

---

Summary generated from the original advisory. Read the full source: cisa-kev