Skip to content
Rush Commerce
Software & Dev3 min read

Joomla page builders hit CVSS 10.0: patch your CMS now

Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.

The website you forgot about is the one getting popped. Two Joomla page-builder extensions — SP Page Builder and Page Builder CK — carry unauthenticated CVSS 10.0 flaws that let anyone upload a file and run code on your server. Both are being exploited right now, and CISA gave U.S. federal agencies a July 10 deadline to patch. If your brochure site or landing pages run on Joomla, this is your problem too, deadline or not.

What actually happened

The two bugs are the same shape: unauthenticated arbitrary file upload leading to remote code execution. CVE-2026-48908 hits JoomShaper's SP Page Builder through the asset.uploadCustomIcon task — no login, no file-type check, so an attacker uploads a PHP payload and executes it. CVE-2026-56290 is the same class of hole in Page Builder CK. Both scored a perfect 10.0.

This isn't theoretical. Per The Hacker News, Page Builder CK exploitation was spotted as early as June 27, 2026, dropping a web shell at /media/com_pagebuilderck/gfonts/bhup.php. The SP Page Builder zero-day was seen creating a new Super User account — a hidden admin the operator never made. CISA added both to its Known Exploited Vulnerabilities catalog with a July 10, 2026 remediation deadline. Fixes exist: SP Page Builder 6.6.2 or later, Page Builder CK 3.6.0. Neither applies itself.

Why it matters for your business

Most small businesses treat the marketing site as set-and-forget. It's built once, handed off, and never touched again until something breaks. That's exactly the asset attackers count on — a CMS with a third-party plugin two versions behind and nobody watching. A web shell on your site doesn't just deface a page. It's a foothold: crypto-mining, phishing pages hosted under your domain, a spam relay that torches your email reputation, or a pivot into whatever else shares that host.

The uncomfortable part is that "your site" is really a stack of other people's code — Joomla core, a page-builder extension, a template, a dozen plugins — and any one of them can be the CVSS 10.0. You didn't write it, but you own the exposure. The fix here is boring and it works: know what's running on your public web properties, subscribe to the extension vendors' advisories, and put patching on a schedule with a name next to it. A site you can't inventory is a site you can't defend.

Key takeaways

  • SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290) both scored CVSS 10.0 — unauthenticated file upload to remote code execution
  • Active exploitation seen since June 27, 2026: web shells dropped and hidden Super User admin accounts created
  • CISA set a July 10, 2026 federal patch deadline; fixes are SP Page Builder 6.6.2+ and Page Builder CK 3.6.0
  • Your marketing/CMS site is a stack of third-party code — inventory it, watch vendor advisories, and patch on a named schedule

Not sure what's running under your website? We audit and rebuild the public-facing sites small businesses depend on — with a known stack, a patch cadence someone owns, and less third-party plugin sprawl to get burned by. See what we do or get a site security review.

Sources: The Hacker News — CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV, SecurityWeek — CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws.

  • #joomla
  • #cve
  • #cms
  • #rce
  • #patching
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.