Two Joomla Plugin RCE Vulnerabilities exploited in the wild (CVE-2026-48908, CVE-2026-56290)

Executive Summary

On July 7th, 2026, CISA added two Joomla extension vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Tracked as CVE-2026-48908 and CVE-2026-56290, both vulnerabilities have CVSS base scores of 10, and both exploit unauthenticated arbitrary file uploads that can result in remote code execution (RCE) on affected Joomla servers.

Page Builder CK (CVE-2026-48908) and SP Page Builder (CVE-2026-56290) are both drag-and-drop page-building extensions for Joomla, a widely deployed open-source content management system that underpins a large number of small business, nonprofit, and community websites. Because the vulnerable upload functionality requires no authentication and writes directly to a location where they can be executed by the web server, a single crafted request is enough to compromise a site. Attackers exploiting these flaws have been observed planting hidden administrator accounts and deploying PHP file manager backdoors on compromised Joomla sites, giving them durable, high-privilege access that can persist well after the initial compromise is discovered. Both vendors have released fixed versions.

Given active exploitation of both vulnerabilities has been confirmed and listed within CISA’s KEV catalog, Beazley Security recommends affected organizations apply available fixes immediately and conduct a thorough review for any signs of compromise.

Affected Systems and Products

 Product

 Affected Versions

 JoomShaper SP Page Builder (Joomla extension)  1.0.0 through 6.6.1
 Page Builder CK (Joomla extension, Joomlack)  1.0 through 3.5.10

Mitigations and Workarounds

Where immediate patching isn't possible, the vulnerable upload handlers in both extensions are reachable without authentication, so the only reliable interim step is to remove the exposure:

  1. Temporarily disable or uninstall the vulnerable extension (Page Builder CK and/or SP Page Builder) until the update can be applied.
  2. If the extension cannot be disabled, block public access to its component endpoints (index.php?option=com_pagebuilderck and index.php?option=com_sppagebuilder) at the web server or WAF layer.

Patches

Joomlack released Page Builder CK 3.6.0 on June 27, 2026, fixing CVE-2026-56290; the update is available through the Joomlack forum and the GitHub security advisory.

JoomShaper released SP Page Builder 6.6.2, fixing CVE-2026-48908, documented in its GitHub security advisory. Site owners should confirm they are running these versions or later.

Indicators of Compromise

For CVE-2026-56290, researchers observed attackers uploading web shells within hours of the patch being released, using the extension's font-upload handler option=com_pagebuilderck&task=fonts.save to write PHP files into media/com_pagebuilderck/gfonts/. Site owners should check that directory, and Joomla's media and upload folders generally, for unexpected .php files and review web server access logs for unsolicited POST requests to index.php containing option=com_pagebuilderck from external hosts.

For CVE-2026-48908, attackers have used the plugin's custom icon upload feature to write a PHP file manager backdoor into the web root and create hidden administrator accounts. Site owners should review the Joomla Users list (Users > Manage in the admin backend) for administrator accounts they did not create and check upload and media directories for unrecognized PHP files.

Technical Details

SP Page Builder ships with a custom icon upload feature that is reachable without authentication. The handler behind it does not properly restrict the types of files it accepts before writing the upload into the site’s web root, pairing an unrestricted-upload weakness with the extension’s broader access control weakness. Because the web server will execute a PHP file wherever it sits under the web root, an attacker can disguise a PHP web shell as an icon upload and then request it directly to run arbitrary code with the privileges of the web server process. This creates a single-request path to RCE that requires no credentials and no user interaction, resulting in fast, automated exploitation now that public details are available.

Page Builder CK is exploited through a similar mechanism. It includes a feature that lets site administrators fetch and cache Google Fonts locally, handled by the extension’s fonts.save task. The handler accepts a remote URL and saves the fetched content into a web-accessible folder under the site’s media directory. The vulnerability combines two flaws: the endpoint fails to properly verify that the request comes from an authenticated, privileged Joomla admin, and it fails to validate that the fetched content is actually a font file before writing it to disk. An unauthenticated attacker can point the handler to PHP code, causing the extension to save it into the public media folder, where it can then be executed directly by requesting its URL.

A public proof-of-concept is available and automates this end-to-end: it retrieves a CSRF token from the site’s homepage, submits the crafted upload request, and confirms code execution by requesting the resulting shell. Given the low complexity of the exploit and the absence of any authentication requirement, Joomla sites running vulnerable versions of this widely used extension remain an attractive and easy target for opportunistic, automated attacks.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Aware of an incident impacting your industry? Let us know:

Report an incident