PT-2026-53285 · Joomla · Page Builder Ck
Phil Taylor
·
Published
2026-06-29
·
Updated
2026-07-08
·
CVE-2026-56290
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red |
Name of the Vulnerable Software and Affected Versions
Page Builder CK extension for Joomla versions prior to 3.6.0
Description
The Page Builder CK extension for Joomla contains an unauthenticated arbitrary file upload flaw. The issue stems from improper input validation and insufficient server-side restrictions on uploaded file paths and types, allowing attackers to upload executable files, such as PHP webshells, directly to the web server. By requesting these uploaded files over HTTP, a remote attacker can achieve full remote code execution (RCE) in the context of the web server, potentially leading to complete site takeover and data theft. The flaw affects multiple CKEditor upload endpoints.
Recommendations
Update Page Builder CK extension for Joomla to version 3.6.0 or later.
Exploit
Fix
RCE
Unrestricted File Upload
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Page Builder Ck