Critical CVSS 10.0 Vulnerabilities in Joomla SP Page Builder and Page Builder CK Enable One-Click Unauthenticated File Upload and Full Site Takeover
U.S. cybersecurity authorities have issued an urgent alert regarding three actively exploited vulnerabilities affecting Joomla extensions and the Langflow AI development platform. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaws to its Known Exploited Vulnerabilities (KEV) catalog and strongly recommends that organizations apply patches without delay.
The first vulnerability, CVE-2026-48908 (CVSS 10.0 Critical), resides in the SP Page Builder extension for Joomla. It allows an unauthenticated attacker to upload arbitrary files, including malicious PHP code, to the server and subsequently execute them, resulting in full control over the affected website.
The second issue, CVE-2026-55255 (CVSS 9.9 Critical), affects the Langflow platform used to build AI-powered applications. Due to improper authorization checks, an authenticated attacker can specify another user’s process identifier and execute it under that user’s privileges, potentially exposing confidential data, cryptographic keys, and other secrets stored within the system.
The third vulnerability, CVE-2026-56290 (CVSS 10.0 Critical), was discovered in the Page Builder CK extension for Joomla. Insufficient access controls enable unauthenticated attackers to upload and execute arbitrary code on the server, again granting complete site takeover capabilities.
All three vulnerabilities are already being leveraged in real-world attacks. Although CISA has not disclosed details about the threat actors, their targets, or the number of compromised systems, such flaws are frequently used as initial access vectors, especially when internet-facing websites and services are involved.
Federal civilian agencies are required to remediate these issues promptly under Binding Operational Directive (BOD) 26-04, which mandates rapid patching of KEV-listed vulnerabilities that affect publicly accessible resources and enable full system compromise. Agencies must also verify whether attackers have already gained access to their infrastructure before applying updates.
While the directive applies only to U.S. federal agencies, CISA recommends that all organizations adopt the same approach: identify vulnerable Joomla extensions and Langflow instances, deploy available patches, and thoroughly review system logs for signs of prior compromise.