CISA has added CVE-2026-56290 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation of a critical remote code execution flaw in Joomlack Page Builder. The flaw affects unauthenticated users and allows arbitrary code execution on vulnerable installations.
Tracked as CVE-2026-56290 the vulnerability carries a CVSS base score of 10.0 rating it as critical. It stems from improper access control in the file upload component of Joomlack Page Builder which fails to validate uploaded files properly.
An attacker can send a specially crafted request to upload a malicious file such as a webshell without needing any authentication. Once the file is stored on the server it can be triggered to run arbitrary commands under the privileges of the web application process.
The entry in the KEV catalogue indicates that the flaw has been seen in the wild although no specific threat actor has been publicly linked to its exploitation. Its inclusion urges organisations to treat the issue as a priority for patching.
Joomlack has released a security update that addresses the file upload validation gap. Administrators should consult the vendor’s advisory via the NVD entry for download links and apply the patch immediately.
In addition to applying the update defenders should review web server directories for any unexpected files and disable or restrict the file upload feature if it is not required. Monitoring logs for abnormal upload attempts can help detect possible compromise.
Finally ensure that incident response plans include steps to isolate affected systems and remove any malicious payloads if a breach is suspected. Staying current with CISA’s KEV catalogue helps prioritise remediation efforts against actively exploited flaws.