Joomla page-builder CVE-2026-48908 / CVE-2026-56290 exploitation
Summary
CISA added two Joomla page-builder vulnerabilities to the Known Exploited Vulnerabilities catalog on July 7, 2026: CVE-2026-48908 in JoomShaper SP Page Builder and CVE-2026-56290 in Joomlack Page Builder. Both entries describe unauthenticated arbitrary file upload paths that can lead to PHP code execution.
The paired KEV additions are high-signal because Joomla extension exposure often sits on internet-facing marketing, commerce, education, and public-sector sites where PHP upload-to-execution flaws rapidly become web-shell, traffic-distribution, phishing, SEO-poisoning, or credential-theft infrastructure.
Tags
- ops
- operations
- vulnerability
- active exploitation
- CISA KEV
- Joomla
- JoomShaper
- SP Page Builder
- CVE-2026-48908
- Joomlack
- Page Builder CK
- CVE-2026-56290
- arbitrary file upload
- PHP code execution
- web shell
- CMS exploitation
Why this matters
- CISA's KEV entry for CVE-2026-48908 says unauthenticated users can upload arbitrary files to JoomShaper SP Page Builder, ultimately resulting in upload and execution of PHP code.
- CISA's KEV entry for CVE-2026-56290 says Joomlack Page Builder has improper access control that could allow remote code execution through unauthenticated arbitrary file upload.
- Both KEV entries have a July 10, 2026 due date under BOD 26-04, indicating urgent federal remediation priority.
- Exploited Joomla extension upload flaws should be treated as likely web-shell exposure until ruled out with logs and file-system review.
Defender heuristics
- Inventory internet-facing Joomla sites and confirm whether JoomShaper SP Page Builder or Joomlack Page Builder / Page Builder CK is installed, including disabled-but-present extension files.
- Apply vendor mitigations or fixed versions immediately. If a site cannot be patched, remove the vulnerable extension or take the site out of public reach until remediated.
- Hunt web logs for unauthenticated upload requests, extension-specific media/upload endpoints, multipart form submissions, traversal-like filenames, and unexpected requests to newly created
.php,.phtml,.phar, or template files. - Review Joomla extension directories, media paths, temporary upload directories, template overrides, and writable cache directories for recently modified executable files.
- Preserve access logs, PHP-FPM / Apache / Nginx logs, Joomla logs, and file timestamps before cleanup where exploitation is suspected.
- Rotate Joomla administrator credentials, database credentials, SMTP/API secrets, and any application secrets stored in configuration files if a PHP payload may have executed.
- Check the compromised site's outbound connections and hosted content for traffic-distribution, phishing-kit, SEO-spam, JavaScript injection, and web-shell callback behavior.
Related pages
- Joomla JCE CVE-2026-48907 exploitation
- Ghost CMS CVE-2026-26980 ClickFix poisoning
- Funnull RingH23 and MacCMS supply-chain attacks
- Operation Endgame SocGholish disruption
Sources
- CISA KEV: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- JoomShaper SP Page Builder extension listing: https://extensions.joomla.org/extension/sp-page-builder/
- Joomlack Page Builder CK product page: https://www.joomlack.fr/en/joomla-extensions/page-builder-ck
- NVD CVE-2026-48908: https://nvd.nist.gov/vuln/detail/CVE-2026-48908
- NVD CVE-2026-56290: https://nvd.nist.gov/vuln/detail/CVE-2026-56290