CISA has moved two exploited Joomla page-builder vulnerabilities into its Known Exploited Vulnerabilities catalog, giving exposed sites a short patch window and a clear warning: old SP Page Builder and PageBuilder CK installs should be treated as possible web-shell entry points, not just outdated extensions.[1]
The two bugs are CVE-2026-48908 in JoomShaper SP Page Builder and CVE-2026-56290 in Joomlack Page Builder CK. Both sit in the same dangerous class: unauthenticated upload paths that can let an attacker place executable PHP on a Joomla site and run it. NVD lists both with critical scoring, including CVSS 4.0 score 10.0 from the Joomla CNA and CVSS 3.1 score 9.8 from NVD analysis.[2][3]
This was selected for publication because it has a strong HowToFix reader fit: Joomla site owners, agencies, and hosting operators need more than the headline. They need to know which extensions to update, why a patch alone may not clean a compromised site, and where to look for the artifacts attackers leave behind. It is also close to a pattern we have already covered in the Joomla JCE exploited editor RCE flaw and in web-shell incidents such as KnowledgeDeliver dropping Godzilla web shells.
What Joomla admins should check now
For SP Page Builder, the public record says versions up to and including 6.6.1 are affected and 6.6.2 is the key fixed release. The risky endpoint is described by mySites.guru as an unauthenticated `asset.uploadCustomIcon` task that could accept a PHP file and write it into a web-served location. Their incident notes say the exploit chain was used to plant hidden Joomla Super Administrator accounts and PHP file-manager backdoors, so a site that was vulnerable before patching needs a compromise review, not only an extension update.[4]
The practical check is simple but not optional: update SP Page Builder to 6.6.2 or later, then review Joomla Super Users for accounts nobody created, especially accounts using an @secure.local email address. Search for unexpected PHP files under paths such as /images/<random>/fonts/, /media/com_admin/, and /media/regularlabs/. Also review access logs for requests containing option=com_sppagebuilder and task=asset.uploadCustomIcon, allowing for URL-encoded variants.
For PageBuilder CK, mySites.guru reports active exploitation shortly after the fix landed, including a web shell seen at /media/com_pagebuilderck/gfonts/bhup.php. The current-line fix is PageBuilder CK 3.6.0, while older Joomla 3 and Joomla 4 branches received back-ported fixed builds. Their guidance is to check for stray PHP files under /media/com_pagebuilderck/ and more broadly under media, images, templates, and administrator folders because the upload path can be used to place code where it should never exist.[5]
If either extension was exposed, rotate Joomla administrator passwords, database credentials stored in configuration.php, FTP/SFTP keys, and hosting-panel credentials after cleanup. A web shell often gives the attacker enough access to read secrets and return through another path. The same persistence lesson applies to CMS backdoor cases such as the OptinMonster WordPress backdoor incident: removing the first visible file is not the same as restoring trust.
Sites that cannot patch immediately should block the vulnerable request paths at the web server or WAF layer, but that is only a temporary control. Blocking PHP execution in upload/media folders is useful hardening, yet it cannot fully compensate for an endpoint that lets an attacker choose write locations. The priority order is patch, take a clean backup for evidence, hunt for web shells and rogue admins, rotate secrets, and then monitor logs for repeat attempts.
References
- CISA, CISA Adds Three Known Exploited Vulnerabilities to Catalog, July 7, 2026.
- NVD, CVE-2026-48908 Detail, last modified July 7, 2026.
- NVD, CVE-2026-56290 Detail, last modified July 7, 2026.
- mySites.guru, SP Page Builder Zero Day Is Being Used to Plant Fake Joomla Admins.
- mySites.guru, PageBuilder CK RCE – CVE-2026-56290.
Leave a Comment