Threat actors are targeting vulnerabilities in Joomla and the LiteSpeed cPanel plugin for code execution and privilege escalation.
Affecting the Joomla Content Editor (JCE) for Joomla and tracked as CVE-2026-48907, the first bug is described as an improper access issue that allows unauthenticated attackers to upload editor profiles.
Attackers have been exploiting the flaw to upload arbitrary files to the server, leading to arbitrary PHP code execution.
All JCE Pro versions before 2.9.99.5 are affected. The security defect was addressed on June 3, and additional protections were included in version 2.9.99.6, released on June 6.
Over the weekend, Joomla urged users to update their deployments to the latest version as soon as possible, warning that CVE-2026-48907 has been exploited in the wild.
“The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe,” Joomla warned.
It also provided indicators of compromise (IoCs) to help site admins hunt for potential compromises.
“Updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind,” Joomla said.
LiteSpeed’s user-end plugin for cPanel was found vulnerable to CVE-2026-54420, a UNIX Symbolic Link (symlink) following vulnerability.
Due to improper handling of symlinks, users with FTP or web shell access could elevate their privileges to root on the shared hosting servers running CloudLinux/CageFS.
The security defect impacts all versions of the user-end cPanel plugin before 2.4.8, which was released on June 1, and has been exploited in the wild since May.
LiteSpeed users are advised to update their deployments immediately and to use the command provided by the maintainers to check whether their servers have been compromised.
This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the LiteSpeed and Joomla bugs to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them by June 18 and June 19, respectively.
Per CISA’s BOD 26-04, security weaknesses that require immediate patching pose the highest risks to federal agencies, as they can be abused in automated attacks that could lead to asset takeover.
Related: Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of Disclosure
Related: Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks
Related: Ivanti Sentry Exploitation Attempts Hitting Honeypots
Related: Chrome 149 Update Patches 28 Vulnerabilities
