Home/ Blog/ Security news/ Article
Blog · Security news

Two Joomla page builders are exploited for site takeover. The patch won't evict the intruder.

CISA flagged two CVSS-10 Joomla page-builder flaws, SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290), as exploited. Patch, then hunt the

Two matching building facades with sealed front doors and one low service hatch left open

The fastest way to lose a Joomla site this month is to run a page-builder extension and treat the vendor update as the end of the story. It is not. On July 7 CISA added two more Joomla add-ons to its Known Exploited Vulnerabilities catalog, both scored CVSS 10, both letting anyone on the internet upload a file and run it with no login. Federal agencies have until July 10 to patch. The harder truth for everyone else: patching removes the way in, not the attacker who already walked through it.

The two flaws are CVE-2026-48908 in JoomShaper's SP Page Builder and CVE-2026-56290 in Joomlack's Page Builder CK. Different vendors, different code, the same defect and the same week on the exploited list.

ItemSP Page BuilderPage Builder CK
CVECVE-2026-48908CVE-2026-56290
VendorJoomShaperJoomlack
CVSS10.010.0
Affected1.0.0 through 6.6.13.5.10 and earlier
Fixed in6.6.2 (June 2026)3.6.0 (June 27, 2026)
Flaw classUnauthenticated file upload to RCEUnauthenticated file upload to RCE
Added to CISA KEVJuly 7, 2026July 7, 2026
Federal deadlineJuly 10, 2026July 10, 2026
Sources: CISA KEV catalog; JoomShaper and Joomlack advisories.

One upload flaw, three Joomla extensions in a month

This is not a one-off you can patch and forget. In mid-June we covered the JCE editor flaw (CVE-2026-48907), an unauthenticated upload in the most-installed Joomla content editor that CISA listed on June 16. Three weeks later the same failure shows up in two more popular Joomla extensions at once. That is three separate front-end upload endpoints, in three widely deployed add-ons, all reachable with no credentials, inside a single month.

The shared root cause, per the CVE records and vendor advisories, is a design decision rather than a stray coding bug. Each endpoint checked for a Joomla anti-CSRF token and treated a valid token as permission to upload. That token is an integrity check: it proves a request came from a page on the site, and any visitor can read one straight off that page. It says nothing about who you are or whether you may write files. Page Builder CK's upload also let the caller choose the destination folder and the filename, so an attacker decided where the PHP file landed. When three separate extensions treat a forgery token as a login, the issue is the pattern, and Joomla's extension upload surface is where it keeps surfacing.

The fix closes the endpoint. It does not close the breach.

Both extensions were patched weeks before CISA listed them, because KEV entries only appear once exploitation is confirmed. SP Page Builder was fixed in 6.6.2 in June; Page Builder CK shipped 3.6.0 on June 27. Researchers tracking Page Builder CK reported a live webshell on a site within hours of that release. So the gap between a public fix and real attacks was measured in hours, not weeks, and any internet-facing Joomla site that ran a vulnerable build should assume it was reachable during that window.

What the attackers leave behind is why a clean update is not the finish line. In SP Page Builder intrusions, researchers found new Super Administrator accounts created from a fixed list of plausible names, each on an @secure.local email, plus self-contained file-manager shells copied into several spots under the site's images/ and media/ folders. Page Builder CK cases dropped a shell into a directory named to blend in, /media/com_pagebuilderck/gfonts/. Update to the fixed version and the upload endpoint closes; the rogue admin and the shell stay exactly where they are. A patched Joomla site that still carries an admin account you never made is a fully owned site.

How to tell if a site was already hit

Treat every Joomla install that ran a vulnerable SP Page Builder or Page Builder CK build as suspect until you have checked it, not just updated it. Two checks find almost all of this.

First, audit the user table. Look for any Super User or Administrator account you cannot tie to a real person, and in particular for the SP Page Builder tell: machine-style usernames on an @secure.local domain. One forensic detail worth knowing: Joomla records those account timestamps using the site timezone, but your web-server logs run in UTC. A creation time that will not reconcile with the access-log clock is itself a signal.

Second, hunt for files that should not exist. A page-builder media folder holds fonts and images; a .php file inside one is close to a definitive indicator of compromise. Known drop locations from these two campaigns include:

  • a random subfolder under images/ and copies named users.php under /media/com_admin/ and /media/regularlabs/ (SP Page Builder)

  • /media/com_pagebuilderck/gfonts/ (Page Builder CK)

This is the kind of change file integrity monitoring is built to catch: a new executable file in a directory that only ever holds static assets. A managed detection layer with file integrity monitoring flags the write the moment it happens, which is the difference between finding a shell in an afternoon and finding it after the next incident. Ranking your own exposure first, by which hosts even run these extensions, is what vulnerability detection is for, and it is how you scope the hunt before you start it. For the wider job of hardening the public apps on your servers, our web application coverage lays out the surface.

Clean the media folders before you trust the patch

Order of operations matters here, and it is the lesson we drew from Ivanti Sentry: patch, then hunt, and on any host that shows an artifact, clean before you call it done. Update SP Page Builder to 6.6.2 or later and Page Builder CK to 3.6.0 or later, using the back-ported fixes if you are on an older Joomla 3 or 4 branch. Then remove any Super User you did not create, delete the dropped shells, rotate every Joomla admin credential and secret, and invalidate active sessions. Running the update without the cleanup leaves the door you locked with the intruder still inside. CISA listed a third exploited flaw the same week, in Adobe ColdFusion; the page builders are the ones most likely sitting on a small-business Joomla host that nobody is watching.

Topics

Frequently asked questions

What are CVE-2026-48908 and CVE-2026-56290?

Both are unauthenticated file-upload flaws that lead to remote code execution on Joomla sites, each rated CVSS 10. CVE-2026-48908 is in JoomShaper's SP Page Builder and CVE-2026-56290 is in Joomlack's Page Builder CK. CISA added both to its Known Exploited Vulnerabilities catalog on July 7, 2026.

Which SP Page Builder and Page Builder CK versions are safe?

SP Page Builder is vulnerable in 1.0.0 through 6.6.1 and fixed in 6.6.2, released in June 2026. Page Builder CK is vulnerable in 3.5.10 and earlier and fixed in 3.6.0, released June 27, 2026, with back-ported fixes for older Joomla 3 and Joomla 4 branches.

Does patching remove the attacker from a compromised Joomla site?

No. Updating closes the upload endpoint but does not remove what an attacker already placed. Reported intrusions left hidden Super Administrator accounts and PHP webshells that survive the update. You must audit the Joomla user table and scan for dropped shell files, then clean them, in addition to patching.

How do I check if my Joomla site was already exploited?

Check the user table for Super User accounts you cannot attribute to a real person, especially machine-style names on an @secure.local email. Then scan the page-builder media and images folders for any .php file, which should never exist there. A new executable file in a static-asset directory is a strong indicator of compromise.

Why does an anti-CSRF token not stop these uploads?

A CSRF token proves a request originated from a page on the site, not who sent it. Any visitor can read the token off a public page. Both extensions treated a valid token as permission to upload, so an unauthenticated user could pass the only check and write a file to the server.

Is Joomla core affected by these flaws?

No. Both flaws are in third-party extensions, SP Page Builder and Page Builder CK, not Joomla core. Sites without either extension installed are not affected by these CVEs. The recurring lesson is that Joomla's largest and least-monitored attack surface is its add-ons, not the platform itself.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.