Skip to content

Joomla page-builder CVE-2026-48908 / CVE-2026-56290 exploitation

Summary

CISA added two Joomla page-builder vulnerabilities to the Known Exploited Vulnerabilities catalog on July 7, 2026: CVE-2026-48908 in JoomShaper SP Page Builder and CVE-2026-56290 in Joomlack Page Builder. Both entries describe unauthenticated arbitrary file upload paths that can lead to PHP code execution.

The paired KEV additions are high-signal because Joomla extension exposure often sits on internet-facing marketing, commerce, education, and public-sector sites where PHP upload-to-execution flaws rapidly become web-shell, traffic-distribution, phishing, SEO-poisoning, or credential-theft infrastructure.

Tags

Why this matters

  • CISA's KEV entry for CVE-2026-48908 says unauthenticated users can upload arbitrary files to JoomShaper SP Page Builder, ultimately resulting in upload and execution of PHP code.
  • CISA's KEV entry for CVE-2026-56290 says Joomlack Page Builder has improper access control that could allow remote code execution through unauthenticated arbitrary file upload.
  • Both KEV entries have a July 10, 2026 due date under BOD 26-04, indicating urgent federal remediation priority.
  • Exploited Joomla extension upload flaws should be treated as likely web-shell exposure until ruled out with logs and file-system review.

Defender heuristics

  1. Inventory internet-facing Joomla sites and confirm whether JoomShaper SP Page Builder or Joomlack Page Builder / Page Builder CK is installed, including disabled-but-present extension files.
  2. Apply vendor mitigations or fixed versions immediately. If a site cannot be patched, remove the vulnerable extension or take the site out of public reach until remediated.
  3. Hunt web logs for unauthenticated upload requests, extension-specific media/upload endpoints, multipart form submissions, traversal-like filenames, and unexpected requests to newly created .php, .phtml, .phar, or template files.
  4. Review Joomla extension directories, media paths, temporary upload directories, template overrides, and writable cache directories for recently modified executable files.
  5. Preserve access logs, PHP-FPM / Apache / Nginx logs, Joomla logs, and file timestamps before cleanup where exploitation is suspected.
  6. Rotate Joomla administrator credentials, database credentials, SMTP/API secrets, and any application secrets stored in configuration files if a PHP payload may have executed.
  7. Check the compromised site's outbound connections and hosted content for traffic-distribution, phishing-kit, SEO-spam, JavaScript injection, and web-shell callback behavior.

Sources

  • CISA KEV: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
  • JoomShaper SP Page Builder extension listing: https://extensions.joomla.org/extension/sp-page-builder/
  • Joomlack Page Builder CK product page: https://www.joomlack.fr/en/joomla-extensions/page-builder-ck
  • NVD CVE-2026-48908: https://nvd.nist.gov/vuln/detail/CVE-2026-48908
  • NVD CVE-2026-56290: https://nvd.nist.gov/vuln/detail/CVE-2026-56290