SYS::ONLINE
Wasteland.
Briefs1122
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-56290 2026-07-07

Joomlack Page Builder CK: Unauthenticated File Upload Enables Full RCE (CVE-2026-56290)

"CVE-2026-56290 is a critical, actively exploited improper access control flaw in the Joomlack Page Builder CK extension for Joomla that lets unauthenticated attackers upload executable files and achieve full remote code…"

CVE-2026-56290 is a critical, actively exploited improper access control flaw in the Joomlack Page Builder CK extension for Joomla that lets unauthenticated attackers upload executable files and achieve full remote code execution.

What Is It

CVE-2026-56290 is an improper access control vulnerability (CWE-284; also classified as CWE-434, unrestricted file upload) in Page Builder CK, a page-builder extension for the Joomla CMS published by Joomlack. Per the NVD description, the extension is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files, leading to full remote code execution. NVD assigns a CVSS 3.1 base score of 9.8 (CRITICAL), with a network attack vector, low complexity, no privileges, and no user interaction required. The secondary CVSS 4.0 assessment rates it 10.0.

Why It Matters

No authentication is needed and no user interaction is required, so an attacker who can reach a vulnerable site over the network can upload a web shell and take full control of the host. CISA added CVE-2026-56290 to its Known Exploited Vulnerabilities catalog on 2026-07-07, confirming active exploitation in the wild. CISA's SSVC assessment marks exploitation as "active," the flaw as "automatable," and technical impact as "total." Confidentiality, integrity, and availability impacts are all rated HIGH.

What's Vulnerable

The affected product is the JoomlaCK.fr Page Builder CK extension for Joomla. According to the NVD data, versions 1.0 through 3.6.0 are affected (versions up to and including 3.6.0). The affected configuration is identified as cpe:2.3:a:joomlack:page_builder_ck:*:*:*:*:*:joomla!:*:*.

Patch Status

CISA's required action is to apply mitigations in accordance with vendor instructions, in compliance with BOD 26-04 guidance and CISA's Forensics Triage Requirements. Organizations should follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The remediation due date is 2026-07-10. Stakeholders are responsible for evaluating each asset's internet exposure. Known ransomware campaign use is listed as "Unknown."

Sources