Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cms (4 articles)Clear

Critical Joomla JCE editor flaw actively exploited to run PHP code

A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.

Check
Identify Joomla sites using the JCE extension and confirm the version, then audit for unfamiliar editor profiles, suspicious PHP files in upload directories, new admin accounts, and profile-import requests in logs.
Affected
Joomla websites running JCE versions 1.0.0 through 2.9.99.4 (CVE-2026-48907); public-facing sites are being hit by automated attacks regardless of whether public registration is enabled.
Fix
Update JCE to 2.9.99.5 or later now. Since the update does not clean an already-compromised site, also hunt for web shells and rogue accounts, and rotate site, database, and hosting passwords.

Drupal critical SQL injection CVE-2026-9082 now actively exploited in PostgreSQL sites, added to CISA KEV - patch immediately

Drupal has issued an update to its highly critical PSA-2026-05-18 advisory confirming that exploit attempts for CVE-2026-9082 are now being detected in the wild. The bug is an SQL injection in Drupal's database abstraction API that lets unauthenticated requests trigger arbitrary SQL on sites running PostgreSQL, with possible escalation to RCE, privilege escalation, and information disclosure. Drupal rates it 23 out of 25 internally though NIST's CVSS v3 score is a mismatched 6.5. CISA added it to KEV on May 22. Affected versions cover Drupal 8.9.x and all 10.x and 11.x branches up to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL deployments (highest impact). Search web access logs for unusual database errors or SQL-pattern requests since 2026-05-20.
Affected
Drupal core 8.9.x, 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, and all 11.x before 11.1.10/11.2.12/11.3.10. PostgreSQL backends face RCE; MySQL still needs the upgrade for Symfony/Twig.
Fix
Upgrade to the patched branch immediately. FCEB agencies must remediate by June 12 per CISA KEV. Apply WAF rules blocking suspicious SQL injection patterns until the patch lands.

Drupal ships highly critical PostgreSQL RCE fix across 11.x and 10.x - SA-CORE patches now live, Drupal 7 unaffected

Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL-backed deployments (highest-impact path). Check for unusual database queries or admin-account changes during the May 20 disclosure window.
Affected
Drupal core 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, 10.4.x. Best-effort patches for EOL 9.5 and 8.9. Drupal 7 not affected. PostgreSQL backends face RCE; MySQL deployments still need the upgrade.
Fix
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 immediately. For EOL 9.5 and 8.9, apply the manual patches and plan migration to a supported branch.

Drupal shipping highly critical core security update today (May 20, 17:00-21:00 UTC) - PSA-2026-05-18, severity 20/25, unauthenticated

Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.

Check
Inventory all Drupal sites and their exact versions. Flag any site on Drupal 8 or 9 since these need manual best-effort patches and a planned upgrade.
Affected
All supported Drupal core 11.x and 10.x; pre-patched 11.1.x and 10.4.x EOL branches available; Drupal 8/9 best-effort only. Drupal 7 is not affected.
Fix
Pre-upgrade to 11.1.9 or 10.4.9 today before the security release lands. Apply the patch the moment it ships and plan an upgrade to 11.3 or 10.6 within the next quarter.