CVE-2026-48908 and CVE-2026-56290: Two Joomla Page Builder CVSS 10.0 Vulnerabilities Added to CISA KEV — Deadline Friday July 10

CVE-2026-48908 and CVE-2026-56290: Two Joomla Page Builder CVSS 10.0 Vulnerabilities Added to CISA KEV — Deadline Friday July 10

CISA Known Exploited Vulnerability (KEV): Both CVEs added to the CISA KEV Catalog on July 7, 2026. Action due July 10, 2026 (Friday). Both are CVSS 10.0. BOD 26-04 applies — federal agencies must patch by Friday.

CVE: CVE-2026-48908 (SP Page Builder), CVE-2026-56290 (Page Builder CK) | CVSS 3.1: 10.0 (Critical) both | Vendor: JoomShaper / Joomlack | Product: SP Page Builder for Joomla / Page Builder CK for Joomla | Affected: Consult vendor advisories


What Is the Vulnerability

CVE-2026-48908 (CVSS 10.0): A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. CVE-2026-56290 (CVSS 10.0): The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full remote code execution. Both are maximum severity and allow attackers to take over Joomla sites without authentication.


Versions Affected

  • SP Page Builder for Joomla — affected versions per JoomShaper advisory
  • Page Builder CK for Joomla — affected versions per Joomlack advisory

Exploited?

Yes — both are actively exploited. CISA added both to the KEV catalog on July 7, 2026, citing evidence of active exploitation. Both are unauthenticated, network-based attacks with CVSS 10.0 severity.


Fix

Both vendors have released security updates.

  • SP Page Builder: Update to the latest patched version per JoomShaper advisory.
  • Page Builder CK: Update to the latest patched version per Joomlack advisory.

Recommendations

  • Patch by Friday July 10: CISA KEV deadline applies. Apply patches immediately.
  • Audit for compromise: Check Joomla web directories for unauthorized PHP files.
  • Review file uploads: Ensure file upload controls are properly configured even after patching.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!