CVE-2026-20253 is an improper access control vulnerability in the Widget Factory Joomla Content Editor that lets unauthenticated users create new editor profiles to upload and execute arbitrary PHP code — no login required. CISA confirmed active exploitation and added it on June 18 with a three-day federal remediation deadline, which is unusually short even by KEV standards. If you run Joomla with this editor installed, patch or disable it now. The combination of unauthenticated access and arbitrary PHP execution makes this a full remote code execution path, not just a privilege escalation.