What is Joomlack Page Builder CK?
Page Builder CK is a drag-and-drop page-building extension for the Joomla content management system, published by the French developer Joomlack, used to visually construct page layouts without editing template code directly. Like other Joomla extensions, it exposes its own controller endpoints directly through Joomla's front-end routing, meaning any authorization weakness in those endpoints is reachable by any internet visitor to the site.
Overview
Joomlack Page Builder CK contains an improper access control vulnerability in a front-end file-upload endpoint that checked only a CSRF token — no authentication and no authorization check were performed. Because Joomla renders CSRF tokens into its own public-facing pages by design, any anonymous visitor can retrieve a valid token with a single ordinary page request and then reuse it to satisfy the upload endpoint's only check, fully neutralizing the protection. The endpoint additionally allowed the caller to influence the destination folder and filename, and the exploited artifact was later observed live at /media/com_pagebuilderck/gfonts/bhup.php — a small uploaded handler file used to receive further uploaded content.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Page Builder CK (Joomla 5) | Up to and including 3.5.10 | 3.6.0 |
| Page Builder CK (Joomla 4 back-port) | Prior versions | 3.4.10 |
| Page Builder CK (Joomla 3 back-port) | Prior versions | 3.1.1 |
All three fixed versions were released on June 27, 2026.
Technical Details
- Root cause: The upload endpoint enforced only a CSRF token check rather than a genuine authentication/authorization check, and CSRF tokens are trivially harvestable from any public page on the same Joomla site (CWE-284: Improper Access Control).
- Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical). - Attack characteristics: A two-step attack: first, an unauthenticated GET request to any public page on the target site harvests a valid CSRF token; second, that token is replayed in a POST request to the upload endpoint, which also accepts attacker-influenced destination path/filename parameters, to place a PHP file in a web-accessible location.
- Impact: Full remote code execution in the context of the web server process, with corresponding high confidentiality, integrity, and availability impact.
Discovery
Credited to Phil Taylor of mySites.guru, whose team's monitoring across a large base of Joomla sites detected a live web shell on a client's site within hours of the June 27, 2026 fix release, confirming active exploitation.
Exploitation Context
Exploitation was extremely rapid — a live web shell was detected on a connected site within hours of the patched version becoming available, suggesting exploitation may have begun before or immediately upon public disclosure. CISA added this CVE to the KEV catalog on July 7, 2026 alongside CVE-2026-48908 (JoomShaper SP Page Builder), a near-identical unauthenticated file-upload flaw in a different Joomla page-builder extension. This is the third of four related Joomla extension file-upload CVEs in this KEV batch attributed to mySites.guru (alongside CVE-2026-48908, CVE-2026-48939, and CVE-2026-56291), all surfaced via the same detection method: client-forwarded evidence of live compromise traced back to a vulnerable upload handler. The Centre for Cybersecurity Belgium issued a dedicated advisory for this CVE. No specific threat-actor name or exposure/Shodan count has been published.
Remediation
- Update Page Builder CK to 3.6.0 (Joomla 5), 3.4.10 (Joomla 4), or 3.1.1 (Joomla 3) immediately, matching your Joomla major version.
- Check for the known compromise artifact at
media/com_pagebuilderck/gfonts/bhup.phpand any similarly-named unexpected PHP files undermedia/com_pagebuilderck/. - Review web server access logs for anomalous POST requests to the extension's upload endpoint, particularly those immediately preceded by a page-token-harvesting GET request from the same source.
- Restrict direct PHP execution in media/upload directories at the web server level as defense-in-depth against this class of vulnerability.
- Follow CISA BOD 26-04 guidance given the July 10, 2026 remediation deadline and evidence of very rapid post-patch exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-56290 |
| Vendor / Product | Joomlack — Page Builder |
| NVD Published | 2026-06-29 |
| NVD Last Modified | 2026-07-08 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2026-07-07 |
| CISA KEV Deadline | 2026-07-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-27 | Joomlack releases Page Builder CK 3.6.0 (plus 3.4.10 and 3.1.1 back-ports) fixing the flaw |
| 2026-06-27 | mySites.guru detects a live web shell on a connected site within hours of the fix release |
| 2026-07-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-56290 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Joomlack — Page Builder CK Extension Page | Vendor |
| mySites.guru — PageBuilder CK unauthenticated file upload RCE | Security Research |
| Threat-Modeling.com — Joomla page builder CVEs added to CISA KEV | Security Research |
| Centre for Cybersecurity Belgium — Advisory on CVE-2026-56290 | Government Advisory |