CISA has added CVE-2026-56290 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Joomlack’s Page Builder product and is tracked as the Joomlack Page Builder Improper Access Control Vulnerability, which permits unauthenticated arbitrary file upload that can lead to remote code execution.
The vulnerability stems from insufficient validation of file‑upload functionality, allowing an attacker without authentication to upload malicious files to the server. Successful exploitation enables the execution of arbitrary code with the privileges of the web‑application process. The Common Vulnerability Scoring System assigns a base score of 10.0, rating the issue as CRITICAL.
A security patch is available from the vendor, referenced in the advisory at https://forum.joomlack.fr/index.php/page-builder-ck/21627-nouvelle-version-de-pbck-et-joomla-3.
Because the CVE appears in the KEV catalogue, active exploitation has been confirmed in the wild. No public reports link this flaw to ransomware campaigns at this time. CISA has set a remediation deadline of 10 July 2026 for Federal Civilian Executive Branch agencies to apply the required mitigations.
CISA directs affected agencies to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.
This directive binds FCEB organisations; all other organisations should review their exposure to Joomlack Page Builder and apply the vendor patch or equivalent mitigations.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-56290 and the CISA KEV catalogue.