ctipilot.ch

Joomlack Page Builder CK unauth file-upload RCE (CVSS 10.0), CISA KEV zero-day

cve · CVE-2026-56290

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
3
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-08CVE-2026-48908 / CVE-2026-56290 — two Joomla page-builder extensions hit CISA KEV the same day for unauth file-upload RCE zero-days
    trending-vulnerabilitiesTwo Joomla page-builder extensions (SP Page Builder, Page Builder CK) hit KEV for unauth file-upload RCE zero-days

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • mysites.guru2 (67%)
  • thehackernews.com1 (33%)

Related entities

Entries about Joomlack Page Builder CK unauth file-upload RCE (CVSS 10.0), CISA KEV zero-day (1)

2026-07-08 · view entry permalink →

NOTABLECVE-2026-48908 +1exploited

CVE-2026-48908 / CVE-2026-56290 — two Joomla page-builder extensions hit CISA KEV the same day for unauth file-upload RCE zero-days

Two unrelated third-party Joomla page-builder extensions were both added to CISA KEV on 7 July 2026 for near-identical unauthenticated file-upload-to-RCE flaws, both already exploited as zero-days. CVE-2026-48908 (JoomShaper SP Page Builder, CVSS 10.0, CWE-434) sits in the component's asset.uploadCustomIcon task, reachable at index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon with no authentication and no file-type validation, affecting versions through 6.6.1 (fixed 6.6.2); mySites.guru observed live attacks planting hidden Super Administrator accounts (typically @secure.local) for persistence surviving the entry-point patch (mySites.guru, 2026-07-08). CVE-2026-56290 (Joomlack Page Builder CK, CVSS 10.0, CWE-284) is a front-end upload handler that validated only a CSRF token — no authentication, no authorization — and accepted an attacker-controlled destination folder and filename including the extension, letting a PHP file be written and executed anywhere web-accessible; it affects up to 3.5.10, fixed in 3.6.0 with back-ports to 3.1.1 (Joomla 3) and 3.4.10 (Joomla 4), and the vendor's own suspect-content tooling flagged a live web shell within hours of the fix landing (mySites.guru, 2026-07-07). The Hacker News corroborates both as KEV-listed and actively exploited (The Hacker News, 2026-07-08). Defender takeaway: both extensions are common on small-business, municipal and public-sector Joomla sites across the EU; the transferable lesson is the recurring class — an unauthenticated third-party component endpoint that accepts a file with no type/ownership check — so inventory every page-builder / gallery / form add-on in a Joomla estate, not just these two, and watch access logs for POSTs to component upload tasks returning 200 followed by a GET to a newly-named file.

Already exploited in the wild. The payload plants a hidden Super Administrator account, usually with an @secure.local email.

mySites.guru 2026-07-08

CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the 'index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon' endpoint.

The Hacker News 2026-07-08
vulnerability08 Jul 20:35Zmulti-sourceOpen finding ↗