JoomlaForever.com! No image is available

CVE-2026-56290 is a critical unauthenticated file-upload vulnerability in Page Builder CK for Joomla that can lead to remote code execution. Because CISA lists the issue as actively exploited, affected site owners should verify their extension version, apply the latest vendor-confirmed fix, and assess exposed sites for signs of compromise.

Joomla extension vulnerabilities require a different response when a flaw is both remotely reachable and confirmed as exploited. CVE-2026-56290 in Page Builder CK meets that threshold: it permits unauthenticated arbitrary file upload and can result in full remote code execution. Patching is urgent, but a patch alone cannot remove files, accounts, or persistence mechanisms that may have been placed on a site before remediation.

What CVE-2026-56290 means for Page Builder CK sites

CVE-2026-56290 affects the Page Builder CK extension for Joomla, maintained by joomlack.fr. The vulnerability is an unauthenticated arbitrary file-upload issue: an attacker does not need a Joomla account to abuse the vulnerable behaviour. If executable content can be uploaded and run by the server, the outcome can be full remote code execution.

The CVE and NVD records assign a CVSS 4.0 base score of 10.0, Critical. The record is associated with both CWE-434, Unrestricted Upload of File with Dangerous Type, and CWE-284, Improper Access Control. Together, those classifications describe why the issue is so serious: access controls do not adequately protect a file-handling capability, and dangerous uploaded files can lead to code execution.

According to the authoritative version-range data, Page Builder CK versions before 3.6.0 are affected. Administrators should not infer more detail than the available records support. In particular, the CVE and NVD evidence does not establish Joomla-version-specific back-port releases. Use the current guidance from joomlack.fr to select and obtain the appropriate vendor-confirmed patched release for the site.

If an internet-facing site runs an affected version and cannot be updated immediately, temporarily disable or remove Page Builder CK until the maintenance window is available. This is a risk-reduction measure, not a substitute for a full review of a site that may already have been exposed.

Why active exploitation changes the priority

Page Builder CK is included in the CISA Known Exploited Vulnerabilities (KEV) catalog. That listing confirms observed exploitation in the wild. CISA added CVE-2026-56290 on 7 July 2026 and set 10 July 2026 as the remediation due date for relevant U.S. federal civilian executive branch agencies.

That due date is not a legal deadline for every Joomla owner, agency, host, or freelancer. It is nevertheless a useful prioritisation signal: CISA reserves KEV for vulnerabilities with evidence of exploitation and a meaningful remediation path. A public Joomla site using an affected extension should be treated as an incident-response candidate as well as a patching task.

Do not confuse CVSS with exploitation status. CVSS measures technical severity and potential impact; it does not prove that attackers are using an issue. KEV status records observed exploitation; it is independent evidence that helps administrators decide what to handle first. CVE-2026-56290 has both: a CVSS 4.0 score of 10.0 and KEV inclusion.

The same distinction applies to the other issues in this article. Only CVE-2026-48907 in JCE and CVE-2026-56290 in Page Builder CK are confirmed in the supplied CISA KEV evidence as actively exploited. The remaining entries deserve remediation based on their technical risk, but should not be described as confirmed exploitation cases.

Immediate response checklist for Joomla administrators

For agencies and hosting teams, begin with an inventory across every managed site rather than relying on a single administrator's recollection. Prioritise public sites, sites with long-lived installations, and sites where extensions are installed manually rather than managed through a consistent update process.

  1. Identify every Page Builder CK installation. Record the site, installed version, hosting account, public exposure, and last known update date.
  2. Preserve evidence before making broad changes. Retain relevant web-server and Joomla logs within your normal incident-handling process. Record the installed extension version and current administrator accounts.
  3. Update to the latest vendor-confirmed fixed release. The authoritative vulnerability data identifies versions before 3.6.0 as affected; verify the applicable patched release using current vendor guidance.
  4. Disable or remove the extension where a prompt update is impossible. Give precedence to exposed production sites.
  5. Check for compromise after patching. Updating prevents the known vulnerable condition from being reused, but does not reverse an earlier intrusion.
  6. Update Joomla core and other installed extensions. Do not allow a Page Builder CK remediation project to leave separate known issues unresolved.

Test updates in a controlled copy where business requirements permit, but do not let an extended test cycle leave an exposed vulnerable production site in service. Confirm normal front-end rendering, administrator access, extension functionality, and error logs after updating. Keep a verified backup and a documented rollback plan, but do not restore an older vulnerable extension merely to recover a layout problem.

Perform a proportionate compromise assessment

An unauthenticated upload-to-RCE flaw warrants a review that is broader than the extension directory. The precise locations and artefacts will vary by host and deployment, so assess the entire web-accessible application area and compare it with a known-good baseline where one exists.

Review files and application integrity

  • Look for unexpected or recently modified executable files in web-accessible directories, temporary locations, media locations, image locations, and extension folders.
  • Compare Joomla core and extension files with trusted installation packages or a known-good deployment. Unexpected modifications should be investigated rather than overwritten without recording them.
  • Review scheduled tasks, deployment hooks, and other operational configuration for changes that do not match approved administration work.
  • Remove unauthorised files only after they have been documented and the broader entry path has been addressed; deleting one suspicious file may not remove all persistence.

Review identities, logs, and service access

  • Audit Joomla administrator and user accounts for unfamiliar accounts, changed group membership, unusual profile data, or unexpected account-creation activity.
  • Review web-server and Joomla logs for anomalous upload activity, unusual AJAX requests, repeated requests from unfamiliar sources, and administration activity that does not match known staff actions.
  • Check error logs for unexpected execution failures or requests against files that should not exist.
  • Rotate credentials and access tokens that may have been exposed or used during a confirmed compromise, following the organisation's incident-response process.

Evidence of unauthorised code, accounts, or changes should be handled as a security incident. Contain the affected site, preserve relevant logs and files, establish a clean baseline, and restore only trusted content and configuration. A simple extension reinstall is insufficient if the investigation finds signs that an attacker obtained broader server or administrator-level access.

Related Joomla extension vulnerabilities to review

Page Builder CK is the urgent focus, but the recent set of Joomla extension vulnerabilities reinforces a practical lesson: extension inventory, prompt updates, access-control review, and file-integrity monitoring are connected controls. The table below distinguishes confirmed exploitation from severity ratings and lists only version and remediation facts supported by the reviewed evidence.

ProductCVEAuthenticationAffected versionsRecommended actionCVSS scoreKEV status
Page Builder CKCVE-2026-56290NoneVersions before 3.6.0Apply the latest vendor-confirmed fixed release; assess for compromise.10.0 Critical (CVSS 4.0)Yes; active exploitation confirmed
Joomla Content Editor (JCE)CVE-2026-48907NoneVersions before 2.9.99.5Update to 2.9.99.5 or later; audit editor profiles and files.10.0 Critical (CVSS 4.0)Yes; active exploitation confirmed
Astroid Template FrameworkCVE-2026-21628NoneVersions 2.0.0 through 3.3.10Update beyond 3.3.10 and review files and logs.10.0 Critical (CVSS 4.0)No confirmed KEV listing
Novarain/Tassos Framework and dependent extensionsCVE-2026-21627NoneFramework 4.10.14–6.0.37 and listed dependent-extension rangesApply current vendor updates and review AJAX activity and file integrity.9.5 Critical (CVSS 4.0)No confirmed KEV listing
Joomla CMS com_ajax ACL hardeningCVE-2026-21629None3.0.0 and later before 5.4.4; 6.0.0 and later before 6.0.4Update to 5.4.4 or 6.0.4 or later, as appropriate.6.3 Medium (CVSS 4.0)No confirmed KEV listing
Joomla CMS webservice endpointsCVE-2026-23899Authenticated3.0.0 and later before 5.4.4; 6.0.0 and later before 6.0.4Update to 5.4.4 or 6.0.4 or later, as appropriate.8.6 High (CVSS 4.0)No confirmed KEV listing
Smart Slider 3 for WordPressCVE-2026-3098AuthenticatedVersions up to and including 3.5.1.33Update to a vendor-patched release and restrict low-privilege access.6.5 Medium (CVSS 3.1)No confirmed KEV listing

The Tassos Framework issue concerns improper access control that can expose internal functionality through Joomla's AJAX mechanism, with SQL injection and file operations possible under certain conditions. Its affected products include the Novarain/Tassos Framework, Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack within the listed version ranges. NVD marks this CVE as Deferred, so the available detail is primarily based on the CVE record and referenced sources; no authoritative fixed version is established in the reviewed evidence.

CVE-2026-21628 affects Astroid Template Framework versions 2.0.0 through 3.3.10. It is another unauthenticated upload issue with potential RCE, rated 10.0 under CVSS 4.0. Administrators should move beyond the affected range and conduct a file-system and log review. Its severity is high, but the reviewed authoritative sources do not confirm exploitation or a CISA KEV listing.

Joomla core also needs to be current. The Joomla Project's advisory for CVE-2026-21629 addresses ACL hardening around com_ajax in the administrator area. CVE-2026-23899 concerns improper access checks in webservice endpoints and requires authentication. Update affected 3.x–5.x branches to 5.4.4 or later, and affected 6.x branches to 6.0.4 or later.

For organisations that manage mixed CMS estates, Smart Slider 3 for WordPress is relevant as a parallel example. CVE-2026-3098 is an authenticated arbitrary file-read vulnerability in versions through 3.5.1.33, with a CVSS 3.1 score of 6.5 Medium. NVD marks it Deferred; details should therefore be understood as based primarily on the CVE record and referenced advisories, and may evolve. It is not a Joomla issue, but it illustrates why low-privilege accounts and extension update hygiene matter across platforms.

Strengthen the controls around extensions and uploads

Once the immediate remediation is complete, use the incident to improve the operating model rather than relying on an isolated emergency patch. Agencies should keep a central extension inventory that identifies the product, version, owner, update route, business purpose, and public exposure for each client site. This makes it possible to identify affected installations quickly when an advisory appears.

  • Keep Joomla core, templates, extensions, and server software within supported update paths.
  • Remove extensions that are no longer required; inactive code still increases maintenance and exposure.
  • Restrict access to the Joomla administrator interface and use least-privilege roles for routine work.
  • Limit permitted upload types and upload locations according to operational need, and monitor unexpected file changes.
  • Maintain tested backups that are separated from the production environment and know how to restore a clean site.
  • Use web-application firewall and security-monitoring controls as additional detection and risk-reduction layers, not as replacements for vendor patches.
  • Establish an escalation process for KEV-listed vulnerabilities so that actively exploited flaws receive a faster response than ordinary maintenance updates.

The key outcome is not simply that Page Builder CK is updated. It is that the organisation can answer, with evidence, which sites were exposed, whether they were checked, what was changed, and how future Joomla security updates will be handled.

Sources and advisory references

Add comment

By submitting a comment, you agree to our Comment Policy and Privacy Policy. Please keep comments respectful, relevant, and free from spam or promotional content. Your name and comment may be displayed publicly, while your email address will not normally be published. Technical information, including your IP address, may be processed for moderation, security, and spam prevention.

Submit