CVE-2026-56290 CRITICAL

CVE-2026-56290: Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0

Vendor Joomlack.fr
Product JoomlaCK.fr Page Builder CK extension for Joomla
Weakness CWE-284
Published June 29, 2026
Last update July 1, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

What the vulnerability does

01Description

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Explanation of Vulnerability in Simple Terms

02Summary

The JoomlaCK.fr Page Builder CK extension for Joomla contains an access control flaw that allows unauthenticated attackers to perform unauthorized actions over the network. The vulnerability affects versions 1.0-3.6.0 and earlier. No patch information is currently available. Site administrators should monitor for updates from the vendor.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the Joomla site without authentication.

Potential impact on your site

04Site Impact

Attackers can modify or access sensitive site data and functionality without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 29, 2026 CVE published
July 1, 2026 Record updated