CVE-2026-56290

Published Jun 29, 2026

Last updated 10 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-56290 describes an unauthenticated arbitrary file upload vulnerability found within the Joomla extension Page Builder CK. This flaw allows an attacker to upload executable files to the affected system. The successful exploitation of this vulnerability can lead to full remote code execution (RCE) on the compromised system, as no authentication is required for an attacker to perform the file upload. This vulnerability is categorized under CWE-284, which pertains to improper access control. It has also been added to CISA's Known Exploited Vulnerabilities Catalog.

Description
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
Source
security@joomla.org
NVD status
Undergoing Analysis
Products
page_builder_ck

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Joomlack Page Builder Improper Access Control Vulnerability
Exploit added on
Jul 7, 2026
Exploit action due
Jul 10, 2026
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Weaknesses

security@joomla.org
CWE-434
nvd@nist.gov
CWE-434

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

10

  1. CISA added three new vulnerabilities to its KEV Catalog: CVE-2026-48908, CVE-2026-55255, CVE-2026-56290, due to active exploitation https://t.co/gset4o5XQI

    @f1tym1

    8 Jul 2026

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 米国CISA¹の既知の悪用された脆弱性カタログに3件と1件の追加。JoomShaper SP Page BuilderのCVE-2026-48908、LangflowのCVE-2026-55255、Joomlack Page BuilderのCVE-2026-56290とColdfusionのCVE-2026-48282。対処期限は3日。ランサム悪用不知。

    @__kokumoto

    7 Jul 2026

    577 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Bernoulli denklemi vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/7S6bozvJuc & apply mitigations to protect your org from c

    @FarukCakicil65

    7 Jul 2026

    8 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Langflow vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattack

    @CISACyber

    7 Jul 2026

    4911 Impressions

    2 Retweets

    9 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 CRITICAL: CVE-2026-56290 (CVSS 9.8) Joomla Page Builder CK vulnerable to unauthenticated arbitrary file upload → RCE No auth required. Patch immediately. #CVE #Vulnerability #PatchNow #ThreatIntel #DFIR https://t.co/LXqb2LdrfA

    @DFIR_Lab

    5 Jul 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨*CVE* CVE-2026-56290 The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. https://t.co/gXsoLCA0Wp ----- Traducción: CVE-2026-56290 La extensión de… https://t.co/utmtNg

    @infoflowcloud

    29 Jun 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations