CISA has added two critical Joomla page-builder flaws to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. CVE-2026-56290 is an unauthenticated arbitrary file upload in Page Builder CK (JoomlaCK.fr) affecting all versions up to and including 3.5.10, and CVE-2026-48908 is an unrestricted-file-type upload in JoomShaper's SP Page Builder affecting all versions up to and including 6.6.1. Both carry a CVSS score of 10.0, both let a remote attacker with no login upload a PHP web shell and execute code on the server, and both are fixed in patched releases (Page Builder CK 3.6.0, SP Page Builder 6.6.2). Federal agencies were ordered to remediate by July 10 under Binding Operational Directive 26-04. If you run either extension on a Joomla site, treat this as an emergency.

What the Vulnerability Is

Both bugs are the same root class — unauthenticated file upload with no validation of file type, leading to remote code execution:

  • CVE-2026-56290 — Page Builder CK. An improper access-control flaw lets any unauthenticated remote attacker upload executable files, including PHP web shells, directly to a web-served folder. Because there is no authentication and no file-type check, a single request can plant a shell and yield full RCE. Affected through 3.5.10; fixed in PageBuilder CK 3.6.0, released June 27, 2026.
  • CVE-2026-48908 — SP Page Builder. The extension exposes a task, asset.uploadCustomIcon, that accepts an uploaded file with no login and no check on the file type. An attacker can upload a PHP web shell to a web-served directory and then request it to run arbitrary code. Affected through 6.6.1; fixed in SP Page Builder 6.6.2.

In both cases the attacker needs nothing but network access to the site. There is no credential requirement, no user interaction, and the payload runs in the context of the web server — the classic path to a full site takeover.

Why It Matters

  • Unauthenticated RCE, CVSS 10.0. No account, no social engineering — just a crafted HTTP request that drops a web shell.
  • Confirmed active exploitation. Both CVEs are on the CISA KEV catalog specifically because attacks are already happening.
  • Popular extensions. SP Page Builder and Page Builder CK are widely deployed drag-and-drop builders across the Joomla ecosystem, so the exposed population is large.
  • Full server foothold. A PHP web shell gives attackers persistent access: data theft, defacement, spam/SEO injection, pivoting to other sites on the same hosting account, and staging for further compromise.
  • Fast-moving deadline. CISA's July 10 remediation deadline reflects how quickly this is being weaponized.

Am I Affected?

You are affected if your Joomla site runs either:

  • Page Builder CK version 3.5.10 or earlier, or
  • JoomShaper SP Page Builder version 6.6.1 or earlier.

Check the installed version under Joomla Administrator → System → Manage → Extensions, and filter by "Page Builder CK" or "SP Page Builder." Even if a site looks unused, an exposed vulnerable extension is enough — exploitation does not require the builder to be actively in use, only installed and reachable.

Because exploitation is unauthenticated and already in the wild, assume any exposed vulnerable install may already have been probed or compromised.

What to Do About It: Step-by-Step

  1. Update the extension immediately (primary fix). Page Builder CK → upgrade to 3.6.0 or later. SP Page Builder → upgrade to 6.6.2 or later. Use Joomla's extension updater (System → Update → Extensions) or install the latest package from the vendor.
  2. If you cannot patch within hours, take the site or extension offline. Disable/uninstall the vulnerable builder, or put the site behind maintenance mode / a restrictive WAF rule blocking the upload endpoints until you can update.
  3. Hunt for web shells and signs of compromise. Because these are actively exploited, patching alone is not enough if you were already hit. Look for recently-created or unexpected .php files, especially under media/upload/asset directories:
    # newly-created or modified PHP files in the last 14 days under the web root
    find /var/www -name '*.php' -mtime -14 -type f -print
    
    # suspicious one-liners often found in dropped shells
    grep -RilE "eval\(|base64_decode\(|assert\(|system\(|passthru\(|gzinflate\(" /var/www --include='*.php'
    Pay special attention to SP Page Builder's custom-icon/asset upload paths and Page Builder CK's upload folders.
  4. Rotate secrets and review accounts. If you find evidence of a shell, rotate Joomla admin passwords, database credentials, and any API keys, and audit for newly-created admin users.
  5. Harden uploads at the server level. Disable PHP execution in upload/media directories so a dropped .php file cannot run even if uploaded:
    # NGINX: block PHP execution under the media/upload tree
    location ~* /(images|media)/.*\.php$ { deny all; return 403; }
  6. Keep Joomla core and all extensions current. Subscribe to Joomla and vendor security feeds so the next builder flaw doesn't sit unpatched.

Quick-Win Checklist

  • Check installed versions of Page Builder CK and SP Page Builder.
  • Update Page Builder CK to 3.6.0+ / SP Page Builder to 6.6.2+.
  • If patching is delayed, disable the extension or block upload endpoints.
  • Scan the web root for new/unexpected .php files and web-shell signatures.
  • Disable PHP execution in media/upload directories.
  • Rotate admin, database, and API credentials if compromise is suspected.
  • Audit for rogue admin accounts.
  • Subscribe to Joomla + vendor security advisories.

Sources