Site icon Fix I.T. Phill – Your Go-To Tech Guru

Joomlack Page Builder CK CVE-2026-56290: Patch Joomla Builders Now

Joomlack Page Builder CK CVE-2026-56290 KEV defensive patch checklist

Joomlack Page Builder CK CVE-2026-56290 KEV defensive patch checklist

Update: CISA added CVE-2026-56290 for Joomlack Page Builder CK to the Known Exploited Vulnerabilities catalog on July 7, 2026. This is now a CISA KEV item, so Joomla site owners and hosting teams should treat it as active patch work, not a normal extension update.

What Changed

CISA lists this as a Page Builder CK access-control flaw that can lead to remote code execution through unauthenticated arbitrary file upload. The KEV due date is July 10, 2026, and CISA currently lists ransomware campaign use as unknown.

The CVE record is published by the Joomla Project CNA and gives the issue a critical CVSS 4.0 score. The vendor page for Page Builder CK lists version 3.6.0 with an important security fix, so current Joomla sites should move to the current vendor security release or later.

Who Should Check

Patch First

  1. Take a fresh file and database backup before changing the site.
  2. Confirm whether Page Builder CK is installed and record the current version.
  3. Update Page Builder CK to the current vendor security release. For modern Joomla installs, use 3.6.0 or later. If the site is stuck on an older Joomla branch, use the vendor’s supported patched branch or plan a Joomla upgrade.
  4. Clear Joomla, CDN, and server cache after the update.
  5. Recheck the extension version from the Joomla administrator area, then confirm the public site still renders expected pages.

Review For Compromise

Because this is now in KEV, patching should be paired with a compromise review. Look for unexpected executable files in writable web folders, recently changed templates, unknown administrator users, unfamiliar scheduled jobs, and suspicious mail or outbound traffic. If anything looks wrong, isolate the site, preserve a backup for investigation, rotate credentials, and restore from a clean point only after the extension is patched.

Hosting Admin Notes

Hosts should inventory Joomla accounts for Page Builder CK, prioritize internet-facing sites, and notify customers who manage their own extensions. A temporary WAF or file-execution restriction can reduce exposure while updates are scheduled, but it should not be treated as a replacement for the vendor security release.

Sources

Exit mobile version