A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.
Drupal has issued an update to its highly critical PSA-2026-05-18 advisory confirming that exploit attempts for CVE-2026-9082 are now being detected in the wild. The bug is an SQL injection in Drupal's database abstraction API that lets unauthenticated requests trigger arbitrary SQL on sites running PostgreSQL, with possible escalation to RCE, privilege escalation, and information disclosure. Drupal rates it 23 out of 25 internally though NIST's CVSS v3 score is a mismatched 6.5. CISA added it to KEV on May 22. Affected versions cover Drupal 8.9.x and all 10.x and 11.x branches up to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.
Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.
Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.