CISA Adds Widget Factory Joomla Content Editor Flaw CVE-2026-48907 to KEV Catalog
CISA has added CVE-2026-48907, an improper access control vulnerability in the Widget Factory Joomla Content Editor, to its Known Exploited Vulnerabilities catalog due to active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The flaw, tracked as CVE-2026-48907, is an improper access control vulnerability in the Widget Factory Joomla Content Editor, a popular extension for the Joomla content management system. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise, according to CISA.
The Widget Factory Joomla Content Editor is widely used by Joomla site administrators to enhance content creation capabilities. The improper access control flaw could allow an attacker to bypass authentication mechanisms and gain unauthorized access to sensitive functions or data. While specific technical details of the exploit have not been publicly disclosed, CISA's inclusion in the KEV catalog confirms that threat actors are actively leveraging this vulnerability in real-world attacks.
CISA's addition of CVE-2026-48907 to the KEV catalog comes under the framework of Binding Operational Directive (BOD) 26-04, which was issued to replace the earlier BOD 22-01. BOD 26-04 requires Federal Civilian Executive Branch (FCEB) agencies to prioritize remediation of KEV-listed vulnerabilities on publicly exposed assets that grant total control of the asset post-exploitation. The directive also establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA strongly encourages all organizations—including private sector entities, state and local governments, and critical infrastructure operators—to adopt risk-based vulnerability management practices and prioritize patching KEV catalog entries. The agency emphasizes that known exploited vulnerabilities represent a clear and present danger, as attackers have already demonstrated the ability to weaponize them.
CISA will continue to add vulnerabilities to the catalog that meet the specified criteria, which include having a CVE ID, evidence of exploitation, and clear mitigation guidance. Organizations that are aware of an exploited vulnerability not currently listed in the KEV catalog are encouraged to submit it for potential addition via the KEV Nomination Form.
The addition of CVE-2026-48907 underscores the ongoing challenge of securing content management system extensions, which are often targeted by attackers due to their widespread deployment and sometimes lax security practices. Joomla administrators are urged to check for updates from Widget Factory and apply any available patches immediately. If no patch is yet available, organizations should consider implementing additional access controls or temporarily disabling the vulnerable component on internet-facing systems.
This KEV addition is part of a broader trend of CISA actively cataloging exploited vulnerabilities across a wide range of products, from enterprise software to open-source components. The agency's KEV catalog now includes hundreds of entries, serving as a critical resource for organizations seeking to prioritize their patching efforts against the most imminent threats.