CISA Known Exploited Vulnerability (KEV): Both CVEs added to the CISA KEV Catalog on July 7, 2026. Action due July 10, 2026 (Friday). Both are CVSS 10.0. BOD 26-04 applies — federal agencies must patch by Friday.
CVE: CVE-2026-48908 (SP Page Builder), CVE-2026-56290 (Page Builder CK) | CVSS 3.1: 10.0 (Critical) both | Vendor: JoomShaper / Joomlack | Product: SP Page Builder for Joomla / Page Builder CK for Joomla | Affected: Consult vendor advisories
What Is the Vulnerability
CVE-2026-48908 (CVSS 10.0): A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. CVE-2026-56290 (CVSS 10.0): The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full remote code execution. Both are maximum severity and allow attackers to take over Joomla sites without authentication.
Versions Affected
- SP Page Builder for Joomla — affected versions per JoomShaper advisory
- Page Builder CK for Joomla — affected versions per Joomlack advisory
Exploited?
Yes — both are actively exploited. CISA added both to the KEV catalog on July 7, 2026, citing evidence of active exploitation. Both are unauthenticated, network-based attacks with CVSS 10.0 severity.
Fix
Both vendors have released security updates.
- SP Page Builder: Update to the latest patched version per JoomShaper advisory.
- Page Builder CK: Update to the latest patched version per Joomlack advisory.
Recommendations
- Patch by Friday July 10: CISA KEV deadline applies. Apply patches immediately.
- Audit for compromise: Check Joomla web directories for unauthorized PHP files.
- Review file uploads: Ensure file upload controls are properly configured even after patching.
References
- The Hacker News: CISA adds 4 KEVs
- JoomShaper Security Advisory (SP Page Builder)
- Joomlack Security Advisory (Page Builder CK)
- CISA Known Exploited Vulnerabilities Catalog
Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.
