Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Unrated

Unauthenticated Arbitrary File Upload in Joomla Page Builder CK

IdentifiersCVE-2026-56290CWE-434

CVE-2026-56290 is a critical vulnerability in the Joomla extension Page Builder CK affecting versions prior to 3.6.0. The flaw is an unauthenticated arbitrary file upload issue in the extension's file upload functionality caused by improper access control, allowing remote attackers to upload arbitrary files, including executable server-side scripts. If a malicious script is uploaded to a web-accessible location and executed by the server, the attacker can achieve full remote code execution on the affected Joomla host.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to upload and execute arbitrary code on the affected server. This can result in complete compromise of the Joomla application context and potentially the underlying host, including unauthorized access to sensitive data, modification or destruction of content, deployment of additional malware or webshells, and disruption of service. The provided context indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable the vulnerable file upload functionality, limit upload permissions to trusted authenticated administrators only, and enforce strict server-side validation of uploaded file types. Configure the web server so upload directories do not allow execution of scripts, and monitor for suspicious file creation or access in upload paths. Additional compensating controls such as WAF rules may help reduce exposure but are not a substitute for upgrading.

Remediation

Patch, then assume compromise.

Upgrade the Joomla Page Builder CK extension to version 3.6.0 or later. Review and harden the extension's upload handling to ensure only authorized users can access upload functionality and that executable files cannot be uploaded or executed. After patching, inspect the server and web-accessible upload directories for previously uploaded malicious files or webshells and remove any unauthorized artifacts.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.