Recent reports indicate that cyber attackers are exploiting vulnerabilities in Joomla and the LiteSpeed cPanel plugin, posing significant risks to users. These security flaws are being used for unauthorized code execution and privilege escalation, necessitating immediate attention and action from affected users.
Joomla Vulnerability Details
The first vulnerability, identified as CVE-2026-48907, affects the Joomla Content Editor (JCE). This flaw, stemming from improper access controls, allows unauthenticated individuals to upload arbitrary files onto servers, leading to the execution of unauthorized PHP code. All previous versions of JCE Pro before 2.9.99.5 are impacted.
Joomla addressed this security issue with a patch released on June 3, followed by additional protections in version 2.9.99.6 on June 6. Despite these efforts, Joomla warned that the vulnerability is actively being exploited in the wild, with automated attacks and publicly available exploit code making even non-public registration sites vulnerable.
Steps for Joomla Users
Joomla has strongly advised users to update their software to the latest versions to mitigate these risks. However, they caution that updating alone will not clean a site that has already been compromised. They have provided indicators of compromise (IoCs) to assist administrators in identifying and addressing any breaches.
LiteSpeed Plugin Vulnerability
Similarly, a vulnerability in the LiteSpeed user-end plugin for cPanel, CVE-2026-54420, has been identified. This UNIX Symbolic Link (symlink) following vulnerability allows users with FTP or web shell access to elevate their privileges to root on shared hosting servers.
The vulnerability affects all versions of the plugin before 2.4.8, released on June 1. Users are urged to update immediately and use the provided commands to check for any signs of compromise.
Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA). Federal agencies are required to apply patches by mid-June to prevent potential risks posed by these security weaknesses, which could lead to automated asset takeovers.
The ongoing exploitation of these vulnerabilities highlights the critical importance of timely software updates and vigilance in cybersecurity practices.
