CVE-2026-48907 is a CISA KEV-listed unauthenticated RCE vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin, affecting all versions 1.0.0 through 2.9.99.4, with a federal remediation deadline of June 19, 2026 — 48 hours from this publication date. Exploitation requires no credentials and no user interaction; attackers upload arbitrary PHP web shells via an unrestricted file upload endpoint and achieve full server compromise with web process privileges. Automated exploitation is confirmed, public PoC code is available, and mass scanning is active.