Dateline: June 17, 2026
Joomla’s JCE Pro Flaw Lets Attackers In Without a Login
Two popular pieces of website software just landed on a federal must patch list, and the reason is simple. Hackers are already breaking in.
What Happened?
Joomla and LiteSpeed both confirmed this week that flaws in their software are actively exploited. The first hits the Joomla Content Editor, a widely used plugin for managing website content. The second sits inside LiteSpeed’s cPanel plugin, which runs on a huge number of shared hosting servers. Both bugs are now in CISA’s Known Exploited Vulnerabilities catalog, and federal agencies have until June 18 and 19 to patch them.
CISA’s Patch Deadline Is This Week
Both bugs are now on the Known Exploited Vulnerabilities list
Federal agencies must patch by these dates. Everyone else should not wait that long either.
The Joomla flaw, tracked as CVE-2026-48907, lives in JCE Pro, a content editor plugin. The bug lets an attacker upload editor profiles without ever logging in. From there, they can upload whatever files they want, including ones that let them run PHP code directly on the server.
Joomla says the attacks are automated, so even sites with public registration turned off are not safe. All versions before 2.9.99.5 are affected. A fix landed on June 3, with extra protections added on June 6 in version 2.9.99.6.
The LiteSpeed bug, CVE-2026-54420, is a different kind of problem. It is a symlink following flaw in the plugin’s user end cPanel tool. Anyone with FTP or web shell access on a shared server can use it to jump from a regular account straight to root, as long as the server runs CloudLinux or CageFS. That bug has been under attack since May. Versions before 2.4.8 are vulnerable, and LiteSpeed shipped a fix on June 1.
The Impact
What makes both of these dangerous is scale. JCE Pro runs on a large slice of Joomla sites worldwide, and LiteSpeed’s cPanel plugin is everywhere shared hosting is sold. One unpatched site can mean a defaced page. One unpatched hosting server can mean root access to every account sitting on it. Joomla was blunt about the cleanup problem too. Patching closes the door, but it does not undo what an attacker already did before the fix went live. Anyone hit before updating needs to check for backdoors, not just install the patch and move on.
How to Avoid This
- Update JCE Pro to 2.9.99.6 or later and the LiteSpeed cPanel plugin to 2.4.8 or later right away.
- Check both vendors’ indicators of compromise before assuming your site is clean, since patching alone will not remove anything an attacker already planted.
- If you run shared hosting, confirm CageFS is configured correctly and review which accounts actually need FTP or web shell access.
- Treat any CMS plugin running on a public facing site as a target, not an afterthought.
Plugins Age Fast, and Attackers Know It
Secure.com helps teams catch the gap between a published CVE and an actual exploit hitting their environment.
- Tracks newly disclosed vulnerabilities against the software your business actually runs
- Flags assets still exposed after a patch ships, instead of assuming the job is done
- Helps prioritize fixes based on what attackers are exploiting right now, not just CVSS scores
- Surfaces signs of compromise that linger after a vulnerable plugin gets patched
- Cuts down the manual work of cross checking CISA’s KEV catalog against your own asset list
