There's a pretty wild Joomla CVE going around. If you have Joomla clients, you might want to apply this as a custom modsec rule (this is for Litespeed but should be portable).
Code:
SecRule REQUEST_METHOD "@streq POST" \
"id:1100100,\
phase:2,\
block,\
log,\
t:none,t:uppercase,\
msg:'CVE-2026-48907 - JCE profile import upload attempt DETECTED',\
tag:'attack-rce',\
tag:'joomla',\
tag:'CVE-2026-48907',\
chain"
SecRule ARGS:option|ARGS_POST:option "@rx ^com_jce$" \
"t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace,\
chain"
SecRule ARGS:task|ARGS_POST:task "@rx ^profiles\.import$" \
"t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace"