Skip to content
Security & Trust

Joomla Page Builder Flaw Lands on CISA's Actively Exploited Vulnerability List

CVE-2026-56290 allows unauthenticated file uploads on Joomla sites — CISA confirms active exploitation.

· 5 min read
Share on X LinkedIn
Joomla Page Builder Flaw Lands on CISA's Actively Exploited Vulnerability List

An Extension, Not the Core

Joomlack Page Builder, a drag-and-drop layout extension for Joomla-based sites, has been added to the CISA Known Exploited Vulnerabilities catalog. The entry, CVE-2026-56290, describes an improper access control flaw that lets an attacker upload arbitrary files without authenticating first — a direct path to remote code execution. The vulnerability carries a CVSS 4.0 score of 10.0, the maximum possible severity rating. It sits in the extension layer, not Joomla core, echoing a pattern WebPulse has tracked across every major CMS: the attack surface expands fastest where third-party code plugs into a trusted platform.

10.0 (Maximum)
CVSS 4.0 Severity Score
Source: NVD, CVE-2026-56290 (July 2026)

The Vector: No Login Required

What separates this listing from routine CVE disclosures is the authentication bar — there isn't one. Improper access control combined with unrestricted file upload means the exploit chain requires no valid credentials, no session token, no social engineering step. A request reaches the upload handler, a file lands on the server, and code executes. That combination is precisely what CISA's KEV catalog is built to flag: not theoretical severity, but confirmed use against real infrastructure.

Unauthenticated file upload → remote code execution
Attack Vector
Source: CISA KEV Catalog entry CVE-2026-56290 (July 7, 2026)

Two Vendors, One Vulnerability Class, One Day

CVE-2026-56290 was not an isolated addition. CISA's July 7, 2026 catalog update added four vulnerabilities in a single batch, and a second entry — CVE-2026-48908, affecting JoomShaper's SP Page Builder — describes the same vulnerability class: unrestricted file upload via improper access control in a Joomla page-builder extension. Two competing extension vendors, two independent codebases, one vulnerability pattern, one day. The coincidence is structural, not coincidental: both extensions implement drag-and-drop layout editing, both need file-upload handlers to function, and neither applied authentication checks to those handlers. When the same flaw appears independently in two products that serve the same role, the problem is the role's security assumptions, not one vendor's implementation.

2 of 4 entries (CVE-2026-56290 + CVE-2026-48908)
Joomla Extension CVEs in July 7 CISA Batch
Source: CISA Known Exploited Vulnerabilities Catalog (July 7, 2026)

Why Unauthenticated Endpoints Matter More in 2026

WebPulse's operating thesis is that AI acts as a risk multiplier, not a new category of threat. Automated scanning tools — the same class of software that also powers legitimate crawling and agentic browsing — do not need a login form to find an open upload endpoint; they only need the endpoint to exist and respond. A flaw that requires zero authentication removes the one variable that used to slow mass exploitation down: credential theft. Notably, CVE-2026-56290's own EPSS score is just 0.00239 — near zero — despite CISA confirming active exploitation and the CVSS rating hitting the ceiling. This divergence between EPSS (a 30-day predictive probability) and KEV (confirmed real-world exploitation) is itself a data point: the catalog exists because predictive models alone do not capture what is already happening in the field.

The Detection Gap Extension Ecosystems Create

Joomla, like WordPress, relies on a marketplace of independently maintained extensions to deliver functionality core teams don't build themselves. That model accelerates feature delivery, and it also means security review happens at the extension author's discretion rather than under a unified process. Site owners frequently know which CMS they run; fewer can name every extension installed underneath it, let alone track its patch history. WebPulse, like most external scanners, can identify the CMS a site runs via HTML and HTTP header signatures but generally cannot enumerate installed extensions — which is itself the blind spot this listing exposes. The vulnerable component is invisible to the tools most organizations rely on to know what they are running.

What Budget-Signers Take From This

A CISA KEV listing is a specific signal: confirmed exploitation, not projected risk. For organizations running Joomla-based sites with page-builder extensions, the relevant question isn't whether the CMS itself is sound — it's whether every installed extension has an owner accountable for patching within days, not quarters. Two independent Joomla page-builder extensions landing in the same CISA batch on the same day makes that question harder to defer. As machine traffic and automated probing become a larger share of what reaches a public-facing site, the gap between 'patched core' and 'patched everything installed on top of it' is where incidents originate.

CVEs in this analysis
CVE-2026-56290 CVE-2026-48908
Share this insight