AI description
CVE-2026-56290 describes an unauthenticated arbitrary file upload vulnerability found within the Joomla extension Page Builder CK. This flaw allows an attacker to upload executable files to the affected system. The successful exploitation of this vulnerability can lead to full remote code execution (RCE) on the compromised system, as no authentication is required for an attacker to perform the file upload. This vulnerability is categorized under CWE-284, which pertains to improper access control. It has also been added to CISA's Known Exploited Vulnerabilities Catalog.
- Description
- The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
- Source
- security@joomla.org
- NVD status
- Undergoing Analysis
- Products
- page_builder_ck
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Joomlack Page Builder Improper Access Control Vulnerability
- Exploit added on
- Jul 7, 2026
- Exploit action due
- Jul 10, 2026
- Required action
- Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
10
CISA added three new vulnerabilities to its KEV Catalog: CVE-2026-48908, CVE-2026-55255, CVE-2026-56290, due to active exploitation https://t.co/gset4o5XQI
@f1tym1
8 Jul 2026
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
米国CISA¹の既知の悪用された脆弱性カタログに3件と1件の追加。JoomShaper SP Page BuilderのCVE-2026-48908、LangflowのCVE-2026-55255、Joomlack Page BuilderのCVE-2026-56290とColdfusionのCVE-2026-48282。対処期限は3日。ランサム悪用不知。
@__kokumoto
7 Jul 2026
577 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Bernoulli denklemi vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/7S6bozvJuc & apply mitigations to protect your org from c
@FarukCakicil65
7 Jul 2026
8 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Langflow vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattack
@CISACyber
7 Jul 2026
4911 Impressions
2 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL: CVE-2026-56290 (CVSS 9.8) Joomla Page Builder CK vulnerable to unauthenticated arbitrary file upload → RCE No auth required. Patch immediately. #CVE #Vulnerability #PatchNow #ThreatIntel #DFIR https://t.co/LXqb2LdrfA
@DFIR_Lab
5 Jul 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2026-56290 The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. https://t.co/gXsoLCA0Wp ----- Traducción: CVE-2026-56290 La extensión de… https://t.co/utmtNg
@infoflowcloud
29 Jun 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joomlack:page_builder_ck:*:*:*:*:*:joomla\\!:*:*",
"matchCriteriaId": "57D7FD08-F3BF-47D8-9EFF-E8CF1D474D38",
"versionEndIncluding": "3.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]