CRITICAL🇵🇱 Wersja polska

CVE-2026-56290

CVSS 10.0v4.0pub. 2026-06-29upd. 2026-07-05

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

🤖 AI Analysis
How it works

The vulnerability results from insufficient access control (CWE-284) in the file upload mechanism of the Page Builder CK extension. An attacker without any authentication can send an HTTP request containing an executable file (e.g., PHP webshell) to the vulnerable endpoint. After successful upload, the file is saved in a location accessible by the web server, enabling its remote invocation and execution of arbitrary system commands.

Impact

The attacker gains full control over the server — can execute arbitrary system commands, read and modify data, and use the compromised server as a launching point for further attacks on the internal network.

Mitigation & patch

Apply patches available from the vendor according to the references (https://www.joomlack.fr/). Until the update is implemented, it is recommended to disable or uninstall the Page Builder CK extension and restrict access to the Joomla service at the firewall level.

Who is affected

Page Builder CK extension for Joomla — versions indicated in the vendor references (https://www.joomlack.fr/)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
  • Joomlack Page Builder Ck

    APP
    Joomlack
    ≤ 3.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References