Critical Joomla Vulnerabilities & LiteSpeed Exploits Exposed in Cyber Attacks

Joomla Content Editor Vulnerability Exposes Systems to Unauthorized Access Threat actors are leveraging recently disclosed security flaws in the Joomla Content Editor (JCE) and the LiteSpeed cPanel plugin to execute malicious code and escalate privileges on affected systems.

Joomla Content Editor Vulnerability Exposes Systems to Unauthorized Access

The Joomla JCE vulnerability, designated as CVE-2026-48907, allows unauthenticated attackers to upload custom editor profiles, creating a pathway for arbitrary file uploads and subsequent PHP code execution. This flaw impacts all JCE Pro versions prior to 2.9.99.5. The issue was resolved on June 3 with the release of version 2.9.99.6, which includes additional safeguards against exploitation. Joomla has issued an urgent advisory for users to apply the latest updates immediately. The organization highlighted that the vulnerability is actively being exploited in real-world scenarios, with publicly available exploit code enabling automated attacks. Even sites without public registration mechanisms are at risk, as the flaw can be triggered through internal access points. Joomla also provided a set of indicators of compromise (IoCs) to assist administrators in identifying potential breaches. However, the organization emphasized that patching alone does not eliminate existing threats, as attackers may have left behind malicious artifacts that require manual removal.

LiteSpeed cPanel Plugin Flaw Enables Privilege Escalation

A separate vulnerability, CVE-2026-54420, affects the LiteSpeed user-end plugin for cPanel. This flaw stems from improper handling of UNIX symbolic links (symlinks), allowing users with FTP or web shell access to escalate their privileges to root on shared hosting environments utilizing CloudLinux/CageFS. The vulnerability impacts all versions of the plugin prior to 2.4.8, which was released on June 1. Exploitation of this flaw has been observed in the wild since May, with attackers leveraging it to gain full control over targeted servers. LiteSpeed has urged users to update their installations promptly and provided a command-line tool to check for signs of compromise. The company stressed that delayed patching increases the likelihood of successful attacks, as the flaw can be exploited remotely once the necessary access is obtained.

CISA Adds Both Vulnerabilities to Exploited Vulnerabilities Catalog

CISA has included both vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to address them by specific deadlines. Joomla’s flaw must be patched by June 19, while the LiteSpeed issue requires remediation by June 18. CISA’s BOD 26-04 underscores the urgency of these updates, as unpatched systems are susceptible to automated attacks that could lead to full asset takeover. The agency reiterated that vulnerabilities requiring immediate attention pose the highest risk to critical infrastructure and government networks. Organizations are advised to conduct thorough security audits, apply available patches, and monitor for IoCs associated with these flaws. The combination of public exploit availability and automated attack tools highlights the importance of proactive mitigation strategies to prevent unauthorized access and data breaches.

About Author

Anuj

See author's posts