Security researchers and software vendors warn that attackers are actively exploiting vulnerabilities in both Joomla and the LiteSpeed cPanel plugin, posing significant risks to website administrators and shared hosting environments.
One of the most urgent issues is CVE-2026-48907, a critical vulnerability affecting the Joomla Content Editor (JCE). The flaw stems from an improper access-control weakness that allows unauthenticated attackers to upload editor profiles and, ultimately, execute arbitrary PHP code on vulnerable servers. Security experts say threat actors are already abusing the bug in real-world attacks.
The JCE security update was first released on June 3, 2026, with JCE version 2.9.99.5 addressing the vulnerability. A second release, version 2.9.99.6, followed on June 6 and introduced additional hardening measures. All JCE Pro versions before 2.9.99.5 are affected.
Over the weekend, Joomla urged administrators to update immediately, warning that CVE-2026-48907 is being exploited in the wild. The project stated: “The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe.”
How CVE-2026-48907 Works
According to the JCE security update advisory, attackers exploit the flaw by importing a malicious editor profile that permits uploads of executable files. Once the profile is installed, arbitrary PHP files can be uploaded and executed on the server.
Administrators are advised to review Components → JCE Editor → Editor Profiles for unfamiliar profiles, particularly those with randomly generated names or configurations allowing PHP uploads through plugins such as Image Manager or File Browser. Another warning sign is a front-end editor displaying a stripped-down toolbar.
The most reliable evidence of compromise is found in web server logs. Administrators should search for unauthenticated requests targeting index.php?option=com_jce&task=profiles.import. The earliest matching request can help determine when an intrusion began and identify a safe backup point for restoration.
Indicators of Compromise and Response Steps
The JCE security update guidance warns administrators to investigate any unexpected PHP files located in images, media, or tmp directories. Files containing “php” in their names, such as foo.php.xml, should also be treated as suspicious.
If compromise is suspected, administrators should preserve suspicious files for forensic analysis, install JCE 2.9.99.6 or later, remove rogue profiles, delete malicious uploads, change administrator, database, hosting, and FTP passwords, and perform a full server-side malware scan.
The advisory stresses that updating alone does not remove malicious files already planted on a compromised system. Closing the vulnerability prevents reinfection but does not clean an existing breach.
Legacy Sites and LiteSpeed Risks
For older deployments unable to meet the requirements of JCE 2.9.99.6—PHP 7.4 and 3.10 or later—a free patch is available for JCE 2.7.x, 2.8.x, and 2.9.x branches. However, the patch only fixes CVE-2026-48907 and does not include the additional hardening found in the latest release.
Separately, attackers are also targeting a vulnerability in the LiteSpeed cPanel plugin. The flaw can be exploited for privilege escalation, potentially allowing attackers to obtain root-level access on shared hosting servers. Together, the Joomla and LiteSpeed cPanel plugin vulnerabilities highlight the growing threat posed by actively exploited web hosting and content management system weaknesses.
