CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)

JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals. CVE-2026-48907 chains weaknesses in the profile-import workflow into unauthenticated PHP remote code execution, is rated CVSS 4.0 10.0, and was KEV-listed on 2026-06-16 (Widget Factory / JCE; YesWeHack; daily 06-17). Update to JCE 2.9.99.5 or later; the vendor also shipped a free patch for older sites.