⚡ Key Takeaways

Two unauthenticated file-upload flaws rated CVSS 10.0 — CVE-2026-48908 in JoomShaper’s SP Page Builder (versions 1.0.0 through 6.6.1, fixed in 6.6.2) and CVE-2026-56290 in Joomlack’s Page Builder CK (up to 3.5.10, fixed in 3.6.0) — let any anonymous visitor upload a PHP web shell and take over a Joomla site. Both were added to the CISA Known Exploited Vulnerabilities catalog on July 7, 2026, with active exploitation confirmed in the wild.

Bottom Line: Algerian businesses and web agencies running Joomla should upgrade SP Page Builder to 6.6.2 and Page Builder CK to 3.6.0 today, then audit for rogue admin accounts and planted web shells before assuming a site is clean.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High

Joomla is widely used behind Algerian SME, professional-services, and agency-built client sites, and both flaws are being actively exploited by automated scanners that hit small sites as readily as large ones.
Action Timeline
Immediate

Exploitation is confirmed in the wild and a CISA remediation deadline already passed on July 10, 2026 — unpatched sites can be shelled within hours, so this is a same-day task, not a scheduled maintenance item.
Key Stakeholders
Web agencies, SME IT managers, freelance Joomla developers, public-sector webmasters
Decision Type
Tactical

This calls for a concrete, time-boxed remediation action — inventory, patch, audit, harden — rather than a long-term strategic bet.
Priority Level
Critical

Unauthenticated remote code execution rated CVSS 10.0 with active exploitation is the highest-severity web risk, and a single compromised site can expose customer data and become a launchpad for further attacks.

Quick Take: If you or your agency runs any Joomla site, check today whether SP Page Builder (≤6.6.1) or Page Builder CK (≤3.5.10) is installed, and if so upgrade to 6.6.2 and 3.6.0 immediately. Patching alone is not enough — hunt for @secure.local Super Admin accounts and stray .php shells in /media/ directories, then rotate every credential. Put every extension on an update cadence you actually follow so the next critical CVE is a patch, not a breach.

Advertisement

Two CVSS 10.0 Flaws in the Web’s Most Common Joomla Builders

Joomla remains one of the most widely deployed content management systems behind Algerian small-business sites, professional-services pages, and the WordPress-alternative builds that many local web agencies still maintain for clients. Two of its most popular drag-and-drop page builders now carry the worst possible severity rating — and both are being exploited right now.

The first, CVE-2026-48908 in JoomShaper’s SP Page Builder, was published on June 20, 2026 and scored 10.0 under CVSS 4.0 (9.8 under CVSS 3.1). The National Vulnerability Database classifies it as CWE-434, “Unrestricted Upload of File with Dangerous Type,” affecting every release from 1.0.0 through 6.6.1 and fixed in 6.6.2. The flaw lets “unauthenticated users upload arbitrary files, ultimately resulting in the upload and execution of PHP code” — the textbook definition of remote code execution.

The second, CVE-2026-56290 in Joomlack’s Page Builder CK, was disclosed on June 29, 2026 and also rated CVSS 10.0. It affects the com_pagebuilderck extension up to and including 3.5.10 on the current line, and the vendor shipped fixes on June 27, 2026: version 3.6.0 for current Joomla, plus back-ports 3.1.1 for Joomla 3 and 3.4.10 for Joomla 4. Both vulnerabilities were entered into the U.S. CISA Known Exploited Vulnerabilities catalog on July 7, 2026, with a federal remediation deadline of July 10, 2026 — a signal that these are not theoretical.

Why Algerian SMEs and Agencies Are in the Blast Radius

An unauthenticated RCE is the single most dangerous class of web vulnerability because it removes every barrier an attacker normally has to clear. There is no password to guess, no phishing email to send, no admin session to hijack. A remote attacker points an automated scanner at a range of IP addresses, finds any site with the vulnerable component installed, and uploads a shell. The economics favour mass scanning, which is exactly why small sites with no dedicated security team are hit as readily as large ones.

Organizations running Joomla in Algeria are exposed in a specific way: page builders are “install-once, forget-forever” components. A web agency builds a brochure site for a client in 2023, hands over the keys, and nobody touches the extension list again. The site keeps working, so no one notices that SP Page Builder is three years out of date. This maintenance gap — not any Algeria-specific weakness — is what turns a patched-in-June flaw into a compromised-in-July site. The mitigation is entirely within reach: the patched versions are free, and the audit steps below take a competent administrator an afternoon per site.

Advertisement

How the Attack Actually Works

For SP Page Builder, security researchers at mySites.guru traced the flaw to the asset.uploadCustomIcon task, reachable at index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. The endpoint processes file uploads with no authentication check and no server-side file-type validation, so “an attacker could upload a .php file, browse to it, and the server would execute it.” Observed payloads then create hidden Super Administrator accounts using @secure.local email addresses and drop PHP file-manager backdoors — typically users.php files inside /media/ directories — to survive the eventual patch.

Page Builder CK follows the same pattern. Its upload handler “asked neither” authentication nor authorization; the only barrier was a CSRF token, and as the researchers note, that token “is not a login” because Joomla prints it into its own public pages, so any visitor can grab one in a single request. With no allow-list restricting uploads to images and no block on PHP files, attackers dropped a web shell named bhup.php into /media/com_pagebuilderck/gfonts/ — a working upload handler “that runs whatever an attacker POSTs to it” — within hours of the patch going public. The Centre for Cybersecurity Belgium issued a matching advisory urging immediate patching.

What Algerian Organizations Running Joomla Should Do

Treat any Joomla site with either builder as potentially compromised until proven otherwise. Work through these four steps in order — patching alone is not enough if a shell was already planted.

1. Identify your exposure across every site you manage

Inventory first. For each Joomla install, log into the administrator panel and open Extensions → Manage → Manage, then filter for “SP Page Builder” and “Page Builder CK” and record the exact version. Agencies managing multiple client sites should script this against the database (#__extensions table) rather than clicking through dozens of dashboards. Flag anything where SP Page Builder is at or below 6.6.1, or Page Builder CK is at or below 3.5.10 (3.1.0 on Joomla 3, 3.4.9 on Joomla 4). Do not assume a low-traffic brochure site is safe — mass scanners do not distinguish between a national brand and a five-page portfolio.

2. Apply the vendor patch immediately — do not wait for a maintenance window

Upgrade SP Page Builder to 6.6.2 or later and Page Builder CK to 3.6.0 (or the back-ported 3.1.1 / 3.4.10 matching your Joomla major version). Both are official vendor releases published in late June 2026, so they install through Joomla’s normal updater. Because exploitation is automated and ongoing, the standard “schedule it for the weekend” posture is the wrong call here — an unpatched CVSS 10.0 endpoint can be found and shelled within hours. If you genuinely cannot patch a site today, take it offline or block the vulnerable endpoints at the web-server or WAF layer as a stopgap, not as a permanent fix.

3. Hunt for backdoors and rogue administrator accounts

Patching closes the door but does nothing about an intruder already inside. Open Users → Manage and delete any Super Administrator account you do not recognise, paying special attention to addresses ending in @secure.local — a known indicator from the SP Page Builder campaign. Then search the filesystem for planted shells: look for unexpected .php files in /media/ subdirectories, specifically users.php files and the bhup.php handler seen at /media/com_pagebuilderck/gfonts/. Compare file modification timestamps against your last legitimate deploy; anything newer than your last real change deserves scrutiny. Remove every web shell you find.

4. Rotate credentials, then harden and monitor

After you are confident the site is clean, rotate all administrator passwords, database credentials, and any API keys or SMTP secrets stored in the site configuration — assume they were read. Going forward, put Joomla and every extension on an update cadence you actually follow, restrict PHP execution inside upload and /media/ directories at the web-server level, and enable logging you can review. Subscribe to the vendor security feeds and a national or sector CERT advisory list so the next critical patch reaches you in days, not months.

The Bigger Picture: Extensions Are Your Real Attack Surface

The uncomfortable lesson from CVE-2026-48908 and CVE-2026-56290 is that the CMS core was never the problem — both flaws live in third-party extensions that thousands of sites install and then ignore. Joomla’s own security team did not write this code, cannot patch it, and cannot force anyone to update. For Algerian businesses and the agencies that serve them, that reshapes what “keeping the website secure” means: it is not a one-time hardening at launch but a standing commitment to track every plugin, theme, and builder you have ever installed. The sites that get compromised in the coming weeks will not be the ones that lacked a firewall — they will be the ones where a page builder installed years ago quietly aged past its last safe version. Build the inventory, own the update cadence, and this entire class of incident becomes a patch you applied on time rather than a breach you discover after the fact.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What exactly do CVE-2026-48908 and CVE-2026-56290 let an attacker do?

Both are unauthenticated arbitrary file-upload flaws that lead to remote code execution. An anonymous visitor — no login, no password — can upload a PHP web shell to a vulnerable Joomla site and then run arbitrary code on the server. In observed attacks this has meant hidden Super Administrator accounts (often with @secure.local emails), planted file-manager backdoors, and full site takeover. Both carry the maximum CVSS score of 10.0.

Which versions are safe, and how do I update?

For SP Page Builder, upgrade to 6.6.2 or later (anything from 1.0.0 to 6.6.1 is vulnerable). For Page Builder CK, upgrade to 3.6.0 on current Joomla, 3.1.1 on Joomla 3, or 3.4.10 on Joomla 4 (all released June 27, 2026). Both install through Joomla’s built-in updater under Extensions → Manage → Update. Because exploitation is automated, patch immediately rather than waiting for a maintenance window.

I patched — am I safe now, or do I still need to check for a breach?

Patching stops new exploitation but does nothing about an attacker who got in before you updated. You must still audit: delete unrecognised Super Administrator accounts (watch for @secure.local addresses), search /media/ directories for stray .php files such as users.php or bhup.php, compare file timestamps against your last legitimate deploy, and rotate all admin, database, and API credentials once the site is confirmed clean.

Sources & Further Reading