How is CVE-2026-39292 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS. Authentication (not-required): No credentials are needed; the upload endpoint accepts requests from unauthenticated remote users. Victim interaction (not-required): The attacker interacts directly with the server-side endpoint; no user action or social engineering is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental tuning.

What is the impact of CVE-2026-39292?

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the host running PHPPageBuilder. Confidential files and data accessible to the web server process can be read and exfiltrated. Attacker can modify or delete files and application data reachable by the server process. The running service or host can be crashed or destabilized, causing a denial of service for legitimate users.

Back to search

HIGHCVE-2026-39292Published 2026-05-29Modified 2026-06-01CNA mitre

CVE-2026-39292: Falco Solutions PHPPageBuilder v0

Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of uploaded file types and executable content.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in Falco Solutions PHPPageBuilder v0.31.0 allows remote attackers to upload arbitrary files, including server-side scripts, through the pagemanager/pagebuilder module. The service is reachable over the network and requires no authentication, meaning any attacker who can reach the endpoint can attempt exploitation. Successful exploitation gives the attacker remote code execution on the host. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package PHPPageBuilder. Any image found running the affected v0.31.0 release is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 7.3 HIGH using the published v3.1 vector, and per-environment compliance policy weighting can escalate or suppress routing accordingly. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is published upstream. In the meantime, customers with auto-remediation enabled can receive compensating-control guidance such as network-policy isolation to restrict access to the pagemanager/pagebuilder endpoint.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS.
AuthenticationNot required
No credentials are needed; the upload endpoint accepts requests from unauthenticated remote users.
Victim interactionNot required
The attacker interacts directly with the server-side endpoint; no user action or social engineering is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental tuning.

Blast Radius

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the host running PHPPageBuilder.
Confidential files and data accessible to the web server process can be read and exfiltrated.
Attacker can modify or delete files and application data reachable by the server process.
The running service or host can be crashed or destabilized, causing a denial of service for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer image registries and CI pipelines, with detection firing within minutes of the advisory being ingested. Because no upstream fix version has been published, a patched-image rebuild cannot yet be generated; however, HarborGuard will make one available automatically the moment Falco Solutions ships a fix. While awaiting a patch, customers are advised to apply network-policy isolation to block unauthenticated external access to the pagemanager/pagebuilder endpoint, use egress filtering to limit outbound connections from the affected container, and consider feature-flag or configuration gating to disable the file upload module entirely if it is not required. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be triggered automatically once an upstream fix is available.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Metrics

Get notified