The Joomla Content Editor (JCE) suffers from an improper access vulnerability (CVE-2026-48907) allowing unauthenticated attackers to upload editor profiles and arbitrary files, resulting in arbitrary PHP code execution. This affects all JCE Pro versions before 2.9.99.5 and was patched in version 2.9.99.6. Concurrently, the LiteSpeed user-end cPanel plugin has a UNIX symbolic link following vulnerability (CVE-2026-54420) that permits users with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS. This affects all plugin versions before 2.4.8, patched on June 1. Both vulnerabilities have been exploited in the wild with automated attacks and public exploit code. The US Cybersecurity and Infrastructure Security Agency (CISA) has mandated patching by June 18 and 19 respectively, highlighting the high risk of asset takeover. Indicators of compromise have been provided by Joomla to assist in detection.

Successful exploitation of CVE-2026-48907 allows unauthenticated attackers to execute arbitrary PHP code on Joomla servers, potentially leading to full site compromise. Exploitation of CVE-2026-54420 enables privilege escalation to root on shared hosting servers, risking complete server takeover. Both vulnerabilities have been actively exploited in automated attacks, increasing the risk of widespread compromise and persistent backdoors. Existing compromises are not remediated by patching alone, requiring additional incident response.

Official patches are available and must be applied immediately: update Joomla JCE Pro to version 2.9.99.6 or later and LiteSpeed cPanel plugin to version 2.4.8 or later. Joomla provides indicators of compromise to detect prior intrusions; patching does not remove existing backdoors or malware. LiteSpeed users should run the provided commands to check for compromise. The US CISA mandates patching for federal agencies by June 18 and 19. No additional mitigations override patching; updating is the primary defense.