CVE-2026-48907 is an unauthenticated remote code execution vulnerability in the JCE plugin for Joomla, chaining improper access control with unrestricted file upload to allow any remote attacker to upload arbitrary PHP files and achieve full web server compromise without credentials. Active exploitation is confirmed, public exploit code is circulating, CISA has added this to the KEV catalog, and automated attack campaigns are underway against internet-facing Joomla sites.