Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
- Vendor
- Joomlack
- Product
- Page Builder (Joomla extension)
- CVSS
- 9.8
- EPSS (exploit probability)
- 0.4%
- Status
- kev
- Published
CVE-2026-56290 is an improper access control flaw in Joomlack Page Builder, a Joomla extension shipped by joomlack.fr. Per NVD’s record, the flaw “could allow for remote code execution via unauthenticated arbitrary file upload” — no authentication required, PHP execution on the target Joomla install as the payoff.
Advisory context
CISA added CVE-2026-56290 to the Known Exploited Vulnerabilities catalog on 2026-07-07 alongside CVE-2026-48908 — an unauthenticated file-upload RCE in a separate Joomla page-builder extension from a separate vendor (JoomShaper) — and CVE-2026-55255, a Langflow IDOR. Federal due date on all three: 2026-07-10.
Two Joomla page-builder RCEs landing on KEV the same day is a scoping signal, not a coincidence. Whichever extension the campaign started on is unlikely to be the one it finishes on — treat any page-builder or file-upload-adjacent extension in your Joomla install as in scope for a same-week audit.
What to do
If a public-facing Joomla site runs Joomlack Page Builder, patch to the vendor-supplied fix or take the site offline. Verify installed extensions via the #__extensions database table, and audit images/, template uploads, and any writable directory for unexpected .php or .phtml files — a compromised Joomla install is the sort of thing that turns into a mail-spam relay by the following morning. See the article writeup for full priority order.
NVD’s canonical record: CVE-2026-56290.