# REPRO-2026-00232: Page Builder CK unauthenticated arbitrary file upload to RCE ## Summary Status: published Severity: critical Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00232 CVE: CVE-2026-56290 ## Package Name: Unknown Ecosystem: Unknown Affected: Unknown Fixed: Unknown ## Root Cause # RCA Report: CVE-2026-56290 — Page Builder CK Unauthenticated Arbitrary File Upload to RCE ## Summary CVE-2026-56290 is a critical unauthenticated arbitrary file upload vulnerability in the Page Builder CK Joomla extension (`com_pagebuilderck`) by Cédric Keiflin (joomlack.fr). The extension's front-end file upload handler (`browse.ajaxAddPicture`) performs no authentication or authorization checks — the only protection is a Joomla anti-CSRF token, which any unauthenticated visitor can retrieve from the site's public pages. Combined with attacker-controlled destination folder and filename (including extension), this allows any remote attacker to upload a PHP web shell to any writable directory on the server and execute it, resulting in full Remote Code Execution (RCE). The vulnerability affects all versions up to and including 3.5.10, and was fixed in version 3.6.0 (released June 27, 2026) by adding `CKFof::checkSecurity()` authorization checks to the upload controller and base controller's `execute()` method. ## Impact - **Package/component affected**: `com_pagebuilderck` (Page Builder CK) Joomla extension - **Affected versions**: All versions up to and including 3.5.10 (current line); also back-ported fixes for Joomla 3 (3.1.1) and Joomla 4 (3.4.10) - **Risk level**: Critical (CVSS 4.0 Base Score: 10.0) - **Consequences**: Full Remote Code Execution on the web server. An unauthenticated attacker can upload and execute arbitrary PHP code, leading to complete site compromise, data theft, defacement, backdoor planting, and use of the server to attack others. Active in-the-wild exploitation confirmed: web shells (e.g., `bhup.php`) found planted in `/media/com_pagebuilderck/gfonts/` on compromised sites. ## Impact Parity - **Disclosed/claimed maximum impact**: Unauthenticated arbitrary file upload leading to full Remote Code Execution (CVSS 10.0, CWE-284/CWE-434) - **Reproduced impact from this run**: Full RCE confirmed — an unauthenticated attacker uploaded a PHP web shell to the server and executed it via HTTP, obtaining server OS information (uname, current user) as proof of code execution - **Parity**: `full` - **Not demonstrated**: N/A — the complete attack chain from unauthenticated request to code execution was demonstrated end-to-end ## Root Cause The vulnerability exists in the `CKBrowse::ajaxAddPicture()` method, which handles file uploads for the Page Builder CK extension's media manager. The root cause is a failure of access control (CWE-284): 1. **No authentication check**: The upload endpoint is accessible via the front-end (`site/controllers/browse.php` includes the admin controller). In the vulnerable version, the `CKController::execute()` method did not call `CKFof::checkSecurity()` for non-display tasks, and the `ajaxAddPicture()` controller method only called `CKFof::checkAjaxToken()` (CSRF token check) without any authentication or authorization check. 2. **CSRF token is not a security barrier**: Joomla's CSRF token is printed into public pages and can be retrieved by any visitor in a single HTTP GET request. The token is embedded in the page's `