Joomla, LiteSpeed Vulnerabilities Exploited in Attacks

Summary

Attackers are actively exploiting CVE-2026-48907 in Joomla Content Editor (JCE) to upload arbitrary PHP files and achieve code execution, affecting all versions before 2.9.99.5. Additionally, CVE-2026-54420 in LiteSpeed's cPanel plugin allows privilege escalation to root via symlink following on shared hosting servers. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog with patching deadlines for federal agencies.

Full text

Threat actors are targeting vulnerabilities in Joomla and the LiteSpeed cPanel plugin for code execution and privilege escalation. Affecting the Joomla Content Editor (JCE) for Joomla and tracked as CVE-2026-48907, the first bug is described as an improper access issue that allows unauthenticated attackers to upload editor profiles. Attackers have been exploiting the flaw to upload arbitrary files to the server, leading to arbitrary PHP code execution. All JCE Pro versions before 2.9.99.5 are affected. The security defect was addressed on June 3, and additional protections were included in version 2.9.99.6, released on June 6. Over the weekend, Joomla urged users to update their deployments to the latest version as soon as possible, warning that CVE-2026-48907 has been exploited in the wild. “The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe,” Joomla warned.Advertisement. Scroll to continue reading. It also provided indicators of compromise (IoCs) to help site admins hunt for potential compromises. “Updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind,” Joomla said. LiteSpeed’s user-end plugin for cPanel was found vulnerable to CVE-2026-54420, a UNIX Symbolic Link (symlink) following vulnerability. Due to improper handling of symlinks, users with FTP or web shell access could elevate their privileges to root on the shared hosting servers running CloudLinux/CageFS. The security defect impacts all versions of the user-end cPanel plugin before 2.4.8, which was released on June 1, and has been exploited in the wild since May. LiteSpeed users are advised to update their deployments immediately and to use the command provided by the maintainers to check whether their servers have been compromised. This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the LiteSpeed and Joomla bugs to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them by June 18 and June 19, respectively. Per CISA’s BOD 26-04, security weaknesses that require immediate patching pose the highest risks to federal agencies, as they can be abused in automated attacks that could lead to asset takeover. Related: Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of Disclosure Related: Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks Related: Ivanti Sentry Exploitation Attempts Hitting Honeypots Related: Chrome 149 Update Patches 28 Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire White House Issues Memo to Bolster NSS CybersecurityAtomic Arch Supply Chain Attack Hits 1,500 AUR PackagesTech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of DisclosureNewCore Emerges From Stealth Mode With $66 Million in FundingUkrainian Man Pleads Guilty in US to Conti Ransomware ChargesShinyHunters Claims Council of Europe HackFBI, Google Dismantle ‘Outsider Enterprise’ Phishing ServiceNPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks Latest News 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker CrosshairsiRhythm Confirms Data Stolen in HackHacker Conversations: Isira Adithya, the Evolution of an Ethical HackerMagnitude Emerges From Stealth Mode With $10 Million in FundingAI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to AskEndpoint Security Startup Ent Emerges From Stealth With $100 Million Seed RoundCybercrime Group Claims Novo Nordisk HackCan CISOs Trust Their Applications? TrustCloud Wants to Replace the Questionnaire Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveStephen Garcia has been named Chief Information Security Officer at BreachRx.Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.Chaim Mazal has been named Chief Information Security Officer at GitLab.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-48907
• cve — CVE-2026-54420

Entities