Top/Articles/Two Popular Joomla Page Builders Can Be Hijacked Without a Login (CVE-2026-48908, CVE-2026-56290): Update Now
joomla-page-builder-cve-cover-en

Two Popular Joomla Page Builders Can Be Hijacked Without a Login (CVE-2026-48908, CVE-2026-56290): Update Now

Two popular page-building tools for Joomla let anyone take over a server without a password. Both SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290) are rated the maximum 10.0, are under active attack worldwide, and plant secret admin accounts. Update SP Page Builder to 6.6.2 and Page Builder CK to 3.6.0 now.

NewsPublished July 8, 2026 Updated today
Table of contents
Key takeaways

Two popular page-building tools for Joomla let anyone take over a server without a password. Both SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290) are rated the maximum 10.0, are under active attack worldwide, and plant secret admin accounts. Update SP Page Builder to 6.6.2 and Page Builder CK to 3.6.0 now.

Two of the most popular page-building tools for Joomla, the free software used to build websites around the world, have been hit by back-to-back flaws that let anyone take over a server without a password. JoomShaper's SP Page Builder (CVE-2026-48908) and Joomlack's Page Builder CK (CVE-2026-56290) both carry the maximum severity rating of 10.0.

Both are already under active attack worldwide and have been added to the "list of flaws being actively exploited" (KEV) published by the U.S. agency CISA. Sites that were hit had secret administrator accounts quietly planted on them. If you use these tools, update SP Page Builder to 6.6.2 and Page Builder CK to 3.6.0 right now.

Overview of the two flaws

The two flaws come from different vendors and different products, but their makeup is nearly identical. In both cases, a file intake that should only be usable by an administrator was left open to anyone without a login. By simply sending a small attack program to that intake, an attacker can freely control the server's contents.

ItemSP Page BuilderPage Builder CK
Tracking IDCVE-2026-48908CVE-2026-56290
VendorJoomShaperJoomlack
Severity (out of 10)10.0 (max)10.0 (max)
Affected versions6.6.1 and
earlier
3.5.10 and
earlier
Fixed version6.6.23.6.0
(also 3.1.1 / 3.4.10)
Login required?No (anyone)No (anyone)
Real-world attacksConfirmedConfirmed

A severity of "10.0" is the perfect score on CVSS (the Common Vulnerability Scoring System), a worldwide standard for rating how serious a flaw is. A 10.0 is rare and only appears when the conditions line up: no login needed, exploitable remotely, and full control of the server. This time, two of them landed in the same period, in tools used for the same purpose.

Who is targeting this, and what do they do?

The attackers are not people with a grudge against anyone in particular. They are operators who automatically scan the entire internet with machines, hunting down every site that uses these two tools. Because no login or password is needed, they do not pick their targets; they hit any site they find, one after another. A personal blog, a small company's website, a city hall or a school page—if the conditions match, all are equally in scope.

What the attacker does is plant a private back door on the server and quietly create a secret account that impersonates an administrator. On sites that were actually attacked, investigators found fake admin accounts dressed up with names familiar to real staff, such as "Web Editor" or "Site Helper." On the surface nothing changes, while only the back end has been taken over.

A hijacked site is not simply left alone. It gets used as a stepping stone to redirect visitors to fake sites, to skim personal data entered into membership records or contact forms, or as a base to attack other sites. The operator loses trust, and visitors are unknowingly placed at the entrance to harm. A similar takeover flaw was found not long ago in a Joomla text-editing tool (JCE's CVE-2026-48907), and a wave of attacks targeting Joomla extensions has continued through this period.

What Joomla and page-building tools are

Joomla is free software that lets you build and update a website without programming knowledge. It is one of the best-known site foundations after WordPress, used for company sites, membership sites, and city or school pages.

Joomla works on its own, but it is common to add "extensions" that bolt on extra features. The two products at issue here, SP Page Builder and Page Builder CK, are especially popular "page-building tools." You drag pieces like text, images, and buttons into place to build a polished page. That ease of use means many sites run them, which widens the blast radius of these flaws.

According to a Censys survey, about 194,793 web properties across roughly 3,080 hosts on the internet were found running SP Page Builder. That is only what is visible from the outside; the real number of installs is likely far higher.

How the SP Page Builder flaw (CVE-2026-48908) works

CVE-2026-48908: broken in through the icon-image intake

The problem was in a feature called "asset.uploadCustomIcon," which receives the icon images SP Page Builder uses on a page. It should only be used by a logged-in administrator, but according to mySites.guru's analysis, this intake had neither a check for whether the requester was logged in nor a check that the file sent was really an image.

As a result, an attacker can, without logging in, place a program (a PHP file) disguised as an image on the server. Because the file is saved in a spot reachable directly from the web, the program runs the moment the attacker visits its address, letting them control the server from outside. This type of flaw, where an outsider gets to run arbitrary programs, is classified as CWE-434 (unrestricted upload of a dangerous file), and it scores an extremely high 10.0 on the latest CVSS standard (4.0) and 9.8 on the older one (3.1).

Proof-of-concept code that reproduces the attack is already public on GitHub, so the attack can be reproduced without much expertise. Hijacked sites were found to have fake admin accounts using a nonexistent email address ending in "@secure.local," plus a back-door program calling itself "PHP File manager" planted in several locations.

How the Page Builder CK flaw (CVE-2026-56290) works

CVE-2026-56290: the save location and name are the attacker's to choose

The other product, Page Builder CK, has the same root cause in its file intake. According to mySites.guru's analysis, the file intake obediently accepted "which folder" and "what name" to save under exactly as the request specified. There was no restriction limiting uploads to images and no block on PHP files. The only barrier, a "password of sorts" (a CSRF token), could be read by anyone who looks at the site's pages.

As a result, an attacker who is not logged in can drop an attack program into any writable location of their choosing and run it in a browser. The flaw is rated CVSS 10.0 (CWE-284, improper access control) in the GitHub advisory as well. Within hours of the fix going public, attacks planting a back-door program named "bhup.php" on real sites were observed.

Page Builder CK has separate fixes depending on the generation of Joomla you run. The latest line is 3.6.0, and back-ported builds 3.1.1 and 3.4.10 were released at the same time for older generations. You need to update to the build that matches your site's Joomla generation.

Update targets by product

ProductVulnerableUpdate toPriority
SP Page Builder6.6.1 and earlier6.6.2Now
Page Builder CK
(latest line)
3.5.10 and earlier3.6.0Now
Page Builder CK
(for Joomla 3)
3.1.0 and earlier3.1.1Now
Page Builder CK
(for Joomla 4)
3.4.9 and earlier3.4.10Now

How events unfolded

← Swipe to move

How to check whether you were hijacked

Sites that have already been attacked keep their back doors even after updating. If any of this sounds familiar, update and then check that none of the following traces remain.

  • In your list of admin accounts, any unfamiliar user whose email address ends in "@secure.local"
  • Admin names you do not remember creating, such as "Web Editor," "Site Helper," or "Admin Backup"
  • For SP Page Builder, any unfamiliar ".php" files (especially users.php) under the "images" folder or in "/media/com_admin/" and "/media/regularlabs/"
  • For Page Builder CK, any suspicious ".php" files such as bhup.php under "/media/com_pagebuilderck/gfonts/"

If you find even one, there is a high chance you have already been breached. mySites.guru's guide recommends that, in addition to deleting the fake accounts and back-door files, you change every secret—your Joomla admin password, database, and FTP/SSH—force all users to log out, and audit the entire site.

What to do right now

First, confirm whether your site is built on Joomla, and whether it uses SP Page Builder or Page Builder CK. In Joomla's admin screen (System → Manage → Extensions), you can check the installed tools and their versions. If they apply, follow the "update targets" table above and update to the latest version without hesitation. Attacks are already running automatically worldwide, and "our little site won't be targeted" no longer holds.

If you outsource your site to an outside firm, ask them today whether the emergency updates for SP Page Builder and Page Builder CK are done. After updating, be sure to check for the traces listed in the previous section. You can also track actively exploited flaws on CISA's warning list, mirrored in our CISA KEV dashboard. As with these two cases, attacks aimed at Joomla extensions have kept coming lately, and regularly checking for updates to the tools you use is your strongest defense.

✓ Confirmed facts

  • SP Page Builder 6.6.1 and earlier has a no-login takeover flaw; the fix is 6.6.2 (CVE-2026-48908)
  • Page Builder CK 3.5.10 and earlier has the same class of flaw; the fix is 3.6.0 and others (CVE-2026-56290)
  • Both rated the maximum severity of 10.0; both confirmed under active attack and added to CISA's warning list (source)
  • About 194,793 web properties running SP Page Builder were identified (Censys)

Summary

A Joomla extension flaw: remote code execution in SP Page Builder before 6.6.2. CVE-2026-48908, with a perfect CVSS score of 10. Credited to Phil Taylor.

Closing

The easier a tool makes it to build a good-looking page, the more sites it ends up on—and the wider the damage when a flaw finally surfaces. SP Page Builder and Page Builder CK come from different vendors and are different products, yet they carried the same weakness: files could be placed without a login. It is a case study in how a handy page-building part can itself become the way in.

What to do is simple. If you use them, update now and check for signs of a takeover. Get both done today. Attacks targeting Joomla extensions have come in quick succession over the past few weeks, so building the habit of following update news—so you don't panic when the next flaw of the same kind appears—is, in the end, the best preparation.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django