JH← Back to blog

Two Joomla Page Builders Just Hit CVSS 10.0 — and CISA Says They're Already Under Attack

Two Joomla page builder extensions hit CVSS 10.0 and landed on CISA's KEV list after active exploitation. Here's what CVE-2026-48908 and CVE-2026-56290 do and how to respond.


CISA added two Joomla-ecosystem vulnerabilities to its Known Exploited Vulnerabilities catalog on July 7, both carrying the maximum CVSS 4.0 score of 10.0: CVE-2026-48908 in JoomShaper's SP Page Builder and CVE-2026-56290 in Joomlack's Page Builder CK. Both let a completely unauthenticated attacker upload arbitrary files and achieve PHP code execution — no login, no prerequisite access. CVE-2026-48908 was exploited as a zero-day before a patch existed.

What the two flaws do

SP Page Builder's flaw (CWE-284, improper access control, versions below 6.6.2) let attackers upload a malicious PHP file through the uploadCustomIcon endpoint without credentials, then create a new Super User account — full administrative control. Page Builder CK has a structurally similar, separately tracked flaw, also scoring 10.0. Two independently developed extensions converging on nearly identical vulnerability classes in the same window suggests page builder-style "let admins upload custom assets" features are systemically weak on upload validation as a category, not a one-off mistake by a single team.

Part of a broader CMS defacement wave

These CVEs arrived alongside CVE-2026-48282 (a CVSS 10.0 path traversal in Adobe ColdFusion) and CVE-2026-55255 (an authorization bypass in Langflow), all added to KEV together, while Belgium's CCB warned of a massive CMS defacement campaign. If you run any Joomla, ColdFusion, or Langflow instance, treat this as a coordinated moment of elevated internet-wide scanning against exactly these platform categories.

What to actually do

Patch immediately. Upgrade SP Page Builder to 6.6.2+ and Page Builder CK to the patched release. Given active zero-day exploitation, treat this as an emergency patch, not routine maintenance.

Audit for unauthorized Super User accounts even after patching. Patching doesn't remove access already established before the patch existed. Check your Joomla user list and rotate admin credentials if there's any ambiguity.

Inventory every third-party extension, not just these two. Unauthenticated file-upload flaws in niche extensions are ideal for mass automated exploitation — predictable endpoints, no auth step, easily verified success. Build or dust off an actual inventory of installed extensions and their patch status.

Conclusion

A CVSS 10.0 score means the worst outcome with the least attacker effort, and two page builder extensions hit that mark in the same week while already under active exploitation. Patching these two CVEs is necessary but not sufficient — the real fix is treating every installed extension as something with an ongoing patch-status owner, not an install-and-forget decision.