External risk intelligence

Joomla Page Builder CK Arbitrary File Upload RCE.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-56290

The vulnerability affects a Joomla extension, which is a component of a web application. Web applications and their associated extensions are typically deployed to be internet-facing to serve content or provide services to public users, making the vulnerable component commonly reachable from the internet in standard deployments.

Unrestricted File Upload

Joomlack Page Builder Ck

3.6.0 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Joomla extension Page Builder CK, which could allow an unauthenticated attacker to upload and execute arbitrary files, potentially leading to a complete compromise of the affected system. The primary concern is to confirm if this extension is in use within our environment and to what extent.

  • Unauthenticated file uploads enable system takeover.
  • Check for this specific Joomla extension.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can upload executable files through the Joomla extension, leading to remote code execution. This occurs without needing any prior authentication or special access.

  • No authentication required.
  • Upload executable files.
  • Full remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to upload executable files to a Joomla website that uses the Page Builder CK extension. This could lead to the execution of arbitrary code on the server.

  • Executable files on the server.
  • Unauthenticated arbitrary file upload.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in a Joomla extension likely impacts website owners and the teams managing their web infrastructure, including platform and security teams. The immediate first step is to identify all instances of the affected extension, determine their reachability and business criticality, and then assign ownership for remediation planning based on the assessed risk.

  • Website owners and platform teams should own.
  • Verify affected extension presence and reachability.
  • Plan remediation based on business risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Page Builder CK extension for Joomla?

Page Builder CK is a third-party add-on designed for Joomla content management systems. It provides users with an intuitive, drag-and-drop interface to build complex web pages, layouts, and responsive designs without needing to write custom code. It is widely used by site administrators to enhance their website's visual presentation and functionality.

How does CVE-2026-56290 cause a security risk?

This vulnerability falls under the weakness class of Improper Access Control (CWE-284). In plain English, the extension fails to properly restrict who can upload files or what types of files are permitted. Because it allows an unauthorized user to upload executable scripts to the server, the system can be tricked into running that malicious code, granting the attacker full control over the web application.

Do I need to be logged into the website to trigger this bug?

No, this vulnerability does not require any form of authentication. An attacker can reach the vulnerable upload mechanism directly through the network without needing an account or special user privileges. Merely interacting with the affected extension in its default state is sufficient for an attacker to initiate the malicious file upload.

Is my Joomla site at risk if it uses Page Builder CK?

According to Halo Surface Signal, this vulnerability is classified as external because the affected extension is typically deployed as part of an internet-facing web application. Since web content and services are designed to be accessed by the public, the vulnerable component is likely reachable from the internet. If your site is exposed to the web, you should treat this as a high-priority concern.

When should I take action to secure my environment?

You should act immediately by locating every instance of Page Builder CK running in your infrastructure. Start by verifying if the extension is present, assessing whether the affected websites are accessible to the public, and identifying who owns those specific services. Once identified, coordinate with your technical teams to plan and apply the necessary security updates to prevent unauthorized access.

References