There is a serious vulnerability in Joomla Page Builder CK which enables an attacker without authentication to upload PHP files and run arbitrary code on the server. This vulnerability has been given CVE identifier CVE-2026-56290 and exists in all versions until version 3.5.10.
The discovery of this vulnerability has been attributed to the researcher M@rAz Ali, along with the contributions of Peyman Siyahi and MR.PERSIA who have helped in researching the problem.
The vulnerability lies in the fonts.save task of the component. An unauthenticated attacker could exploit the font.save task to retrieve remote files and inject PHP code into the webroot. The only thing that stands between the attacker and exploitation is the Joomla CSRF token, which can be read on the homepage.
Exploitation gives the attacker full access to run arbitrary PHP code on the target machine.
How the Exploit Works
The Joomla Page Builder CK arbitrary file upload vulnerability works in that the fonts.save task is used. The task is used to download remote font files and save them locally. But there are no proper authentication measures in place.
A CSRF token is needed for the task to work. The CSRF token is included in the source code of all Joomla sites. All an attacker needs to do is access the home page and get the CSRF token.
The attacker makes a POST request to the task fonts.save with a specially crafted payload. The payload contains the URL of the malicious font file hosted on the attacker’s server. In fact, the file is just PHP code disguised as a font.
The task downloads the file and stores it in the following location:
/media/com_pagebuilderck/gfonts/The filename is rather predictable. Now the attacker is able to open the file using the browser. In case the file consists of PHP code, the server will run that code, thus allowing the attacker to use remote code execution.
How Does the Exploit Work?
Exploiting the vulnerability is a relatively simple process which can be automated:
- The attacker performs an action that will request a token for the targeted Joomla site and receives a CSRF token from the HTML code of the web page.
- Next, the attacker creates a POST request for the fonts.save task with the token obtained.
- The URL is then included in the POST request to the malicious font file hosted by the attacker.
- This will make the task download the file from the provided URL and save it in the media directory.
- The attacker obtains the saved file via a web browser to make sure that the exploitation was successful.
- The attacker runs arbitrary PHP code through the web shell.
No credentials or any interaction from the victim side is required for the exploit to work.
Why It Works
There is a Joomla Page Builder CK arbitrary file upload vulnerability because the task fonts.save lacks validation of the authenticity and security of the remote file that needs to be retrieved. Additionally, there is no limitation on the type of files that may be uploaded to the server.
CSRF token is supposed to defend from cross-site request forgery. Nevertheless, since the token is available publicly, it offers no protection for the attack. Every visitor of the website will have access to the token to perform the malicious action.
Vulnerability helps to get rid of Joomla's own security measures and upload arbitrary files to the webroot directory without any authentication or authorization at all.
The Danger
This vulnerability of Joomla Page Builder CK is very dangerous to vulnerable sites because once a person has successfully exploited the vulnerability, the hacker is capable of:
- Deploying a web shell on the website
- Executing arbitrary PHP code
- Reading configuration files
- Accessing the database
- Uploading malware
- Defacing the site
- Using the site as a pivot for further hacking
This vulnerability is scalable; that means several targets can be compromised at once through the use of automated techniques.
The Fix
The vulnerability has been patched in Page Builder CK version 3.6.0. It is necessary that site administrators update immediately.
In case an update is not feasible, one can disable the Page Builder CK extension temporarily. Access to the vulnerable endpoints should be restricted through the web application firewall. Keep track of any PHP files within the media directory.
The Bottom Line
The Joomla Page Builder CK arbitrary file upload vulnerability is a critical security flaw discovered by M@rAz Ali, with contributions from Peyman Siyahi and MR.PERSIA. A publicly accessible CSRF token is the only barrier between an attacker and remote code execution.
The exploit is simple, reliable, and can be automated at scale. Update to version 3.6.0 immediately. Check your media directory for unexpected files. And treat any site running a vulnerable version as potentially compromised.
FAQ Section
What is CVE-2026-56290?
CVE-2026-56290 is an unauthenticated arbitrary file upload vulnerability in the Joomla Page Builder CK extension. It allows attackers to deploy web shells via the fonts.save task.
Who discovered this vulnerability?
The person who discovered this vulnerability is a security researcher named M@rAz Ali; however, credits go to Peyman Siyahi and MR.PERSIA as well.
Which versions are affected?
Page Builder CK versions up to and including 3.5.10 are affected. The vulnerability has been patched in version 3.6.0.
How is the attack carried out?
The attacker will obtain the CSRF token from the Joomla homepage and will use it to craft a request to the fonts.save task which will download a remote file with PHP code and save it to the web root.
What does the attacker do?
The attacker may use the web shell, execute PHP scripts, view files, access the database, and carry out many other malicious activities by utilizing the exploited website.
Is authentication required?
No. The vulnerability may be used even by unauthenticated users.
How can I protect my website?
Please make sure that you update your site to Page Builder CK 3.6.0 version as soon as possible. If the update cannot be performed, then disable the extension and examine the media folder.