CVE-2026-56290 | The Joomla extension Page Builder CK is vulnerable to an una… | CVSS 10.0 CRITICAL

Description

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Metadata

CVE ID: CVE-2026-56290
State: PUBLISHED
Assigner: Joomla
Reserved: 2026-06-20 11:57 UTC
Published: 2026-06-29 14:31 UTC
Last updated: 2026-06-29 15:17 UTC
Primary CWE: CWE-284
CWE-284 Improper Access Control
Vendor / Product: joomlack.fr / JoomlaCK.fr Page Builder CK extension for Joomla
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
joomlack.fr	JoomlaCK.fr Page Builder CK extension for Joomla	—	1.0-3.6.0

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284 Improper Access Control

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

References (1)

https://www.joomlack.fr/