How is CVE-2026-56290 exploited?

Network reachability (required): The extension exposes its file upload functionality over the network, so an attacker must be able to reach the Joomla web service to exploit this vulnerability. Authentication (not-required): No account or session credentials of any privilege level are needed; the upload endpoint accepts requests from unauthenticated users. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or administrator of the Joomla site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

What is the impact of CVE-2026-56290?

An attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the Joomla host. All data accessible to the web server process, including database credentials, user records, and stored session tokens, can be read directly. An attacker can write, modify, or delete files and database content across the Joomla installation, including content served to end users. The compromise extends to systems reachable from the host, since CVSS v4 sub-system scores are all High, meaning downstream services and infrastructure connected to the Joomla environment are also at risk.

Back to search

CRITICALCVE-2026-56290Published 2026-06-29Modified 2026-06-29CNA Joomla

CVE-2026-56290: Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0

Q: What is CVE-2026-56290?

An unauthenticated arbitrary file upload vulnerability exists in the Page Builder CK extension for Joomla, versions 1.0 through below 3.6.0, developed by JoomlaCK.fr. The flaw is reachable over the network with no credentials required and no victim interaction needed, making it trivially exploitable from the open internet. Successful exploitation gives an attacker full remote code execution on the host running the Joomla installation. No fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available the moment upstream ships one.

Q: Is CVE-2026-56290 patched?

Because no upstream fix version has been published for CVE-2026-56290, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file upload vulnerability exists in the Page Builder CK extension for Joomla, versions 1.0 through below 3.6.0, developed by JoomlaCK.fr. The flaw is reachable over the network with no credentials required and no victim interaction needed, making it trivially exploitable from the open internet. Successful exploitation gives an attacker full remote code execution on the host running the Joomla installation. No fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available the moment upstream ships one.

HarborGuard Coverage

Detection

Detection of CVE-2026-56290 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Page Builder CK extension. Any image found to carry an affected version of the extension is flagged immediately in the pipeline scan results.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage results are available for delivery to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-56290, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The extension exposes its file upload functionality over the network, so an attacker must be able to reach the Joomla web service to exploit this vulnerability.
AuthenticationNot required
No account or session credentials of any privilege level are needed; the upload endpoint accepts requests from unauthenticated users.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator of the Joomla site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

An attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the Joomla host.
All data accessible to the web server process, including database credentials, user records, and stored session tokens, can be read directly.
An attacker can write, modify, or delete files and database content across the Joomla installation, including content served to end users.
The compromise extends to systems reachable from the host, since CVSS v4 sub-system scores are all High, meaning downstream services and infrastructure connected to the Joomla environment are also at risk.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-56290 as of the publication date, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild the moment JoomlaCK.fr releases a fix. In the interim, customers can apply compensating controls through HarborGuard policy rules, including flagging any image containing the affected extension as non-compliant for deployment, enforcing network-policy isolation to restrict inbound access to Joomla endpoints, and applying egress filtering to limit what the web server process can reach if the host is already exposed. For customers who opt into auto-remediation, the full rebuild, regression test, and PR workflow will trigger automatically once a fix version is published upstream, with median time from CVE publication to merged patch PR for Critical-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

joomlack.fr / JoomlaCK.fr Page Builder CK extension for Joomla
1.0-3.6.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

References

joomlack.fr

Metrics

Get notified