If you received an email from me pointing you to this page, it is because your website appears to be running a vulnerable version of Page Builder CK (Joomlack’s com_pagebuilderck), a page-builder extension for the Joomla content management system. This page explains why that matters and how to fix it.

This notice concerns CVE-2026-56290, a critical (CVSS 10.0), actively exploited flaw that allows unauthenticated remote code execution through the extension’s front-end media-browser upload feature. The fix shipped on 27 June 2026, and which version is “fixed” depends on your Joomla line:

If your site runs… Page Builder CK is fixed in… Affected (upgrade needed)
Joomla 3 3.1.1 3.1.0 and earlier
Joomla 4 3.4.10 3.4.9 and earlier
Joomla 5 or 6 3.6.0 3.5.10 and earlier

If you are running an affected version, upgrade to the fixed release for your Joomla line as soon as possible. Because this was exploited as a zero-day, you should also check your site for signs of compromise (see If you were on an affected version below).

This is an extension flaw, not a Joomla core flaw. A fully up-to-date Joomla core does not protect you if the Page Builder CK extension itself is out of date.

Note on version numbers. Page Builder CK uses the same version numbers across different Joomla releases, so the number alone does not tell you whether you are safe: it depends on your Joomla version. For example, 3.1.2 is a fixed build on Joomla 3, but a site on Joomla 5 needs 3.6.0 or later. The table above is keyed to your Joomla line for exactly this reason.

Is this message legitimate?

Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it, upload anything, or exploit anything.

All I did was look at publicly visible files that your website serves to every visitor (the same way your homepage is public) and note the version number that the Page Builder CK extension publishes in those files. I specifically did not touch the vulnerable upload feature. Nothing about this check touches your data, your admin area, or any private part of your site.

If you would like to verify who I am, see the contact details at the bottom of this page and the About page.

Why this matters

Page Builder CK is a widely used drag-and-drop page builder for Joomla. In affected versions, the extension’s front-end media browser exposes an upload action that can be reached without logging in and without a valid security check: the upload handler was missing the authorization check that should restrict it to editors. That lets an attacker upload a program of their choosing and run it on your server: full remote code execution.

This is not a theoretical risk. The flaw was scored 10.0 out of 10, was exploited in the wild as a zero-day (with attackers dropping web-based backdoors for persistent access), and was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog on 7 July 2026.

If my email cited this issue, it means the version your site reports falls within the affected range for your Joomla line. I did not test whether your particular site is exploitable or already compromised, only that it reports an affected version.

The good news: updating to a fixed version closes the hole, and the update is straightforward.

How to check your version

You do not have to take my word for which version you are running.

From the public manifest (no login needed): open yourdomain.com/administrator/components/com_pagebuilderck/pagebuilderck.xml in a browser. The <version> line is the version your Page Builder CK install reports, and this is the same public file I read.

From the admin area (if you have access):

  1. Log in to your Joomla administrator (usually at yourdomain.com/administrator).
  2. Go to System then Manage then Extensions (or Extensions then Manage, depending on your Joomla version).
  3. Search for Page Builder CK and note the installed version.

Compare that number against the table at the top of this page for your Joomla line. If you are at or above the fixed version for your line (3.1.1 on Joomla 3, 3.4.10 on Joomla 4, 3.6.0 on Joomla 5/6), you are patched; if you are below it, you should upgrade.

How to upgrade

The safest path is to update through Joomla itself, and to back up first:

  1. Back up your site (files and database) before making changes. Most hosting providers offer one-click backups, or use a Joomla backup extension.
  2. In the Joomla admin, open Extensions then Manage then Update, and click Find Updates. If a Page Builder CK update is listed, install it from here. Joomla will offer the correct build for your Joomla line automatically.
  3. If no update appears there, download the latest release directly from the vendor, Joomlack, at https://www.joomlack.fr/en/joomla-extensions/page-builder-ck and install it via Extensions then Install.
  4. After upgrading, confirm the new version number (the fixed release for your Joomla line) using the steps above, and check that your site loads and edits normally.

While you are in there, it is worth confirming that Joomla itself and your other extensions are up to date, since the same principle applies to all of them.

If you were on an affected version

Because this flaw was exploited before a fix was available, a site that ran an affected version should not assume that simply updating is enough. The update closes the hole, but it does not remove anything an attacker may have already uploaded. You (or your webmaster) should also check whether the site was broken into:

  • Unexpected files on the server. An unauthenticated-upload attack leaves behind files the attacker placed, most often .php files (web shells) in writable upload and media directories, such as under /images/, /media/, or the Page Builder CK media directory (/media/com_pagebuilderck/). Look for script files with random-looking names, or files whose modification date lines up with when the site might have been targeted, and remove any you cannot account for.
  • Rogue administrator accounts. File-upload attacks are frequently used to create hidden Super User accounts for persistent access. Review your user list under Users then Manage and remove any you do not recognize.
  • Unexpected changes. Modified core files, new scheduled tasks, or unfamiliar template overrides can indicate a backdoor that survives the extension update.

If you find any of these, treat the site as compromised: remove the rogue files and accounts, rotate all credentials (Joomla admin, database, FTP/SSH, hosting panel), force all users to log back in, and consider restoring from a known-good backup taken before the intrusion. If your organization has an IT security team or a national CERT, loop them in.

I want to be clear: I have not checked your site for any of these indicators, and I do not know whether your site was affected. This list is here so you can check for yourself.

I do not have a webmaster / I am stuck

If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.

If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.

Contact

Evan Harris, Security Researcher

I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.

References

Official advisories and tracking

Vendor (Joomlack)