If your business website runs on Joomla, this one needs your attention today. The US Cybersecurity and Infrastructure Security Agency has added a maximum-severity flaw in the popular Joomla Content Editor (JCE) extension to its Known Exploited Vulnerabilities catalogue, confirming it’s being attacked in the wild, as reported by The Hacker News. The bug, CVE-2026-48907, carries a CVSS score of 10.0 — the highest there is.

It’s an access-control failure that lets an unauthenticated attacker create a rogue editor profile and then upload and run PHP code. In plain terms: a stranger on the internet can drop a web shell on your server and quietly help themselves to a permanent back door. The attacks are automated and working exploit code is public, so vulnerable sites are being found and hit without anyone needing to single you out. Every JCE version from 1.0.0 through 2.9.99.4 is affected.

Here’s what to do. Update JCE to version 2.9.99.5 (released 3 June) right now — it closes the hole. Then check the site for unfamiliar admin or editor profiles, unexpected PHP files, and altered page footers, because a patch doesn’t remove a back door that’s already in place. If you can’t be sure whether your site has been touched, treat it as compromised until proven otherwise and have it reviewed properly.

This isn’t only a Joomla problem — the same week brought active supply-chain attacks on widely used WordPress plugins too. The common thread is websites and plugins that aren’t kept patched. If your site isn’t on a managed update schedule, that’s the gap worth closing this week. Our cybersecurity team can audit your website and lock down how it’s maintained.