Critical (10.0) Actively Exploited

Page Builder CK unauth RCE exploited (CVE-2026-56290) [PoC]

CVE-2026-56290

CVE-2026-56290: Critical unauth arbitrary file upload in Joomla Page Builder CK leads to full RCE (CVSS 10.0). Update to patched extension version immediately.

Affected: Joomlack Page Builder Ck

Actively exploited in the wild - CVE-2026-56290 is a critical arbitrary file upload vulnerability in Joomla Page Builder CK that grants unauthenticated attackers full remote code execution on the server. Patched versions are available; update the extension immediately.

Overview

CVE-2026-56290 affects the Joomla extension Page Builder CK, a popular tool for building Joomla front-end layouts. The vulnerability allows an unauthenticated attacker to upload arbitrary files, including executable server-side scripts, with no user interaction required. Because the attack vector is network-based and requires no privileges or authentication, any attacker who can reach the vulnerable Joomla site can exploit this flaw to gain complete control over the web server.

The vulnerability has been confirmed as actively exploited in the wild by CISA’s Known Exploited Vulnerabilities (KEV) catalog. While the EPSS score indicates only a 0.4% probability of exploitation in the next 30 days, the public availability of exploit details combined with confirmed active attacks makes immediate patching critical. The CVSS score of 10.0 reflects the maximum severity: total impact on confidentiality, integrity, and availability.

Impact

An attacker exploiting CVE-2026-56290 can:

  • Upload a PHP web shell or other executable file to the web root
  • Execute arbitrary system commands on the server as the web server user
  • Install persistent backdoors, deploy ransomware, or exfiltrate the Joomla database and any hosted data
  • Potentially pivot to other internal systems reachable from the compromised web server

Because no authentication is required and no user interaction is needed, automated scanning and mass exploitation are straightforward.

Remediation and Mitigation

The vendor (CKSource / cozmoslabs) has released patched versions of Page Builder CK. Administrators should:

  1. Update immediately to the latest version of the extension from the Joomla extensions directory or the vendor download page.
  2. Verify the extension version is >= the patched release identified in the vendor advisory.
  3. If an immediate update is not possible, temporarily disable the Page Builder CK extension in the Joomla administrator panel until a patch can be applied.
  4. Check the web server access logs for signs of exploitation (suspicious file uploads, unexpected PHP files in upload directories, or POST requests to extension endpoints from unexpected IP addresses).
  5. Review recent data breach reports at breach reports for indicators of compromise.

Security Insight

This vulnerability follows a well-worn path: third-party extensions in content management systems continue to be a primary attack surface because they often receive less rigorous security review than the core CMS. The Page Builder CK case is notable for its CVSS 10.0 rating and confirmed active exploitation, making it a textbook example of why organizations using Joomla must maintain strict inventory and update policies for every installed extension. The availability of exploit code and active scanning campaigns means any unpatched instance is a ticking clock. Stay current on active threats at security news.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
shinthink/pbck-exploit

📤 Mass exploitation framework for CVE-2026-56290 — Page Builder CK Joomla unauthenticated file upload to RCE

★ 2
sagsooz/PageBuilderCK-CVE-2026-56290-Exploit

Page Builder CK for Joomla - Unauthenticated SSRF / Remote File Write leading to PHP execution Exploiter

★ 1

Showing 2 of 2 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.