PT-2026-53285 · Joomla · Page Builder Ck

Phil Taylor

·

Published

2026-06-29

·

Updated

2026-07-08

·

CVE-2026-56290

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Name of the Vulnerable Software and Affected Versions Page Builder CK extension for Joomla versions prior to 3.6.0
Description The Page Builder CK extension for Joomla contains an unauthenticated arbitrary file upload flaw. The issue stems from improper input validation and insufficient server-side restrictions on uploaded file paths and types, allowing attackers to upload executable files, such as PHP webshells, directly to the web server. By requesting these uploaded files over HTTP, a remote attacker can achieve full remote code execution (RCE) in the context of the web server, potentially leading to complete site takeover and data theft. The flaw affects multiple CKEditor upload endpoints.
Recommendations Update Page Builder CK extension for Joomla to version 3.6.0 or later.

Exploit

Fix

RCE

Unrestricted File Upload

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56290

Affected Products

Page Builder Ck