Overview
- CISA added the LiteSpeed cPanel plugin flaw (CVE-2026-54420) and the Joomla JCE flaw (CVE-2026-48907) to its Known Exploited Vulnerabilities catalog and directed rapid federal patching under binding guidance.
- The LiteSpeed bug mishandles UNIX symbolic links and lets a user with FTP or web shell access escalate to root on CloudLinux/CageFS shared hosts, and vendors confirmed active exploitation.
- The JCE flaw allows unauthenticated attackers to create editor profiles that upload and execute PHP, and Joomla warned that working exploit code is public and attacks are automated.
- Vendors have released fixes (LiteSpeed cPanel plugin v2.4.8 / WHM v5.3.2.1 and JCE 2.9.99.5/2.9.99.6) and published grep commands and IoCs to detect signs of compromise; administrators must apply updates immediately.
- Patching closes the entry points but does not remove implants, so operators should hunt for backdoors, reset credentials, run full server malware scans, and clean compromised sites before declaring them safe.