Education — exposed CMS and forum software stack a structural risk

Education entities sat under two pressures this week: the continuing ShinyHunters PeopleSoft campaign that W24 documented landing disproportionately on universities, and a cluster of critical web-application CVEs in software ubiquitous across European universities and student communities — JCE for Joomla (CVE-2026-48907, exploited), phpBB (CVE-2026-48611), Drupal core (CVE-2026-55803, BSI critical) and LiteSpeed shared-hosting (CVE-2026-54420, exploited), all in § 3. The pattern is not a single incident but an attack-surface concentration: the open-source CMS/forum/hosting stack that the education sector runs widely all took critical, partly-exploited disclosures in one week.