Skip to content

Two Joomla page-builder RCEs hit CISA KEV, remediation due today

CISA added CVE-2026-48908 (JoomShaper SP Page Builder) and CVE-2026-56290 (Page Builder CK) to KEV on July 7. Both CVSS 10.0, unauth file-upload to RCE. FCEB deadline: July 10.

Published 6 min read

CISA added two Joomla page-builder flaws to the Known Exploited Vulnerabilities catalog on July 7, 2026, alongside a third Langflow bug we covered separately. Both page-builder CVEs carry a CVSS v4 base score of 10.0, both are unauthenticated arbitrary file uploads that chain to remote code execution, and both were already being exploited in the wild before the catalog listing. The remediation deadline for federal civilian agencies under BOD 26-04 is today, July 10, 2026 — three business days after the KEV add.

  • CVE-2026-48908 — JoomShaper SP Page Builder ≤ 6.6.1. Fixed in 6.6.2, released June 14, 2026.
  • CVE-2026-56290 — Joomlack Page Builder CK ≤ 3.5.10. Fixed in 3.6.0, released June 27, 2026.

What the bugs do

Both extensions expose a file-upload endpoint that a Joomla site owner would reasonably assume required authentication. Both endpoints did not check.

SP Page Builder — asset.uploadCustomIcon. The controller reachable at index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon accepts an HTTP POST with a custom_icon multipart field containing a ZIP archive, extracts it into /media/com_sppagebuilder/assets/iconfont/[name]/fonts/, and returns 200. There is no login check, no permission check, and no file-type check — a PHP file inside the archive is written verbatim under the web root and is immediately executable. That is the classic CWE-284 improper-access-control shape.

Page Builder CK. A front-end endpoint accepts a file upload with the same pair of missing controls — no authentication, no permission check — and additionally lets the caller choose the destination folder. The only gate is Joomla's anti-CSRF token, which any unauthenticated visitor can read straight off the site's own public pages. Same primitive, same outcome: unauth remote attacker writes a PHP web shell into a web-served directory and executes it.

Affected versions and patches

ExtensionVulnerablePatchedFix commit
SP Page Builder (JoomShaper)≤ 6.6.16.6.2 (June 14, 2026)Gates asset.uploadCustomIcon behind an authenticated session, requires admin or component-manage permission, enforces a valid anti-CSRF token; returns 401/403 otherwise. Follow-up hardening in 6.6.3 addressed a bypass reported on the JoomShaper forum.
Page Builder CK (Joomlack)≤ 3.5.103.6.0 (June 27, 2026)Adds authentication and authorisation on the front-end upload endpoint.

SP Page Builder and Page Builder CK are both template-bundled on a large share of Joomla sites — many operators do not remember installing either extension because a template pulled it in as a dependency. The Censys advisory for CVE-2026-48908 estimates tens of thousands of internet-reachable Joomla sites with SP Page Builder active on the vulnerable versions at the time of catalog listing.

Exploitation status

Both flaws were confirmed exploited before the KEV addition. The evidence chain, in order:

  • SP Page Builder. mySites.guru's June 20 advisory documents live-traffic captures from real Joomla access logs: a POST to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon returning 200, followed by a GET to a planted PHP file, followed by a brand-new Super Administrator account appearing in the Joomla users table — usually with a @secure.local email — plus a PHP file-manager backdoor written under /tmp or under the extension's own asset directories. A public PoC is on GitHub.
  • Page Builder CK. The mySites.guru advisory reports web-shell delivery observed on affected sites from June 27, 2026 onward. Belgium's Centre for Cybersecurity issued a national warning ahead of the KEV listing.

Neither the CISA catalog entry nor the extension vendors published IOCs, YARA rules, or Sigma rules in a usable form. The detectable primitives are the exploit traffic patterns above — an anonymous POST to the vulnerable endpoint followed by GETs to unfamiliar .php files in the extension asset directory — plus the post-compromise artefacts (new Super Administrator accounts, unfamiliar PHP files under the Joomla document root).

Action checklist

  1. Inventory every Joomla site you operate. Production, staging, agency-managed, marketing sub-brands, archived sites. SP Page Builder and Page Builder CK are frequently pulled in by templates without an operator installing them by hand.
  2. Upgrade SP Page Builder to 6.6.3 (not 6.6.2) on every affected site. The 6.6.2 release closed the primary hole but left a reachable variant patched in 6.6.3.
  3. Upgrade Page Builder CK to 3.6.0 on every affected site. Verify the version served, not just the version listed in the Joomla extension manager.
  4. Hunt for post-compromise artefacts on every site that was internet-reachable at any point in the past three weeks. Priority checks:
    • New Super Administrator accounts in #__users you did not create, especially with @secure.local or other placeholder emails.
    • Unexpected .php files under /media/com_sppagebuilder/assets/iconfont/ and in the destination folders configured for Page Builder CK uploads.
    • Modified timestamps on configuration.php, index.php, and the templates directory.
    • PHP file-manager backdoors in /tmp and under the Joomla webroot with names like wso.php, x.php, alfa.php.
  5. Rotate every credential reachable from configuration.php. Database password, mail SMTP, cache/Redis, S3 tokens, anything the PHP process can read. RCE means the config file was readable regardless of whether a web shell was successfully persisted.
  6. Pre-stage a WAF rule blocking unauthenticated POST traffic to ?option=com_sppagebuilder&task=asset.uploadCustomIcon and to the Page Builder CK front-end upload endpoint until every site is confirmed patched. This is defence-in-depth, not remediation.

Federal civilian agencies operating any Joomla instance with either extension must complete remediation by end of day today to remain compliant with BOD 26-04.

Context

This is the third Joomla extension to land in CISA KEV in five weeks and the fourth in twelve months. JCE — Joomla Content Editor CVE-2026-48907 hit KEV on June 16 with the same shape: unauth upload primitive plus a trust assumption the endpoint did not enforce. Before that, an Everest Forms plugin RCE hit KEV in the WordPress ecosystem in May. The through-line across three CMS platforms is unbroken: the most-installed editor or page-builder extension is also the largest unauth-RCE surface, because those extensions ship both a file-upload primitive and a trust assumption about the calling user that the endpoint does not actually enforce.

For Joomla operators, the operational question is no longer "is SP Page Builder patched." It is which of the other template-bundled extensions on your sites contain the same shape — a file-upload handler, a route that does not check authentication, a folder that lives under the web root. That is a static-analysis question you can answer today with grep and a directory listing. The next KEV add is already in someone's extension registry.

What other outlets missed

The CISA July 7 alert is being framed by most outlets as three vulnerabilities of roughly equal weight. It is not. Langflow CVE-2026-55255 requires an authenticated foothold; the two Joomla flaws do not. The blast radius comparison is misleading unless you spell out that "actively exploited" against an unauthenticated internet-reachable endpoint on a widely-installed CMS extension is a categorically different risk from an authenticated IDOR on developer tooling. Sites running vulnerable SP Page Builder or Page Builder CK versions at the time of KEV listing were, by construction, already compromised or about to be. That is the story the three-in-one CISA framing does not tell.

Related stories