By Jordan Polasek · July 8, 2026

The tool you used to build your website — the drag-and-drop page builder that let you lay out your homepage without writing a line of code — has quietly become one of the most attacked pieces of software on the internet this week. Two separate flaws in two of the most popular Joomla page builders both scored a perfect 10.0 for severity, and attackers are already using them to plant hidden backdoors on real small-business sites.

## ⚡ The 60-Second Version

>

- What: Two critical flaws in widely used Joomla website page builders — CVE-2026-56290 in Page Builder CK and CVE-2026-48908 in JoomShaper SP Page Builder — both rated the maximum 10.0 severity. Each lets an attacker with no login and no password upload a file to your web server and take it over. CISA added both to its Known Exploited Vulnerabilities list on July 8, 2026.
- Fix: Update Page Builder CK to 3.6.0 or later and SP Page Builder to 6.6.2 or later — or have your web team disable the extension until you can.
- By when: Now. Exploitation started before the fixes were even on the KEV list. The federal deadline to patch is July 10, 2026 — treat that as your deadline too.

What actually happened

On July 8, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four actively exploited flaws to its Known Exploited Vulnerabilities catalog — the government's short list of holes criminals are provably using right now, not just in theory. Two of the four live in Joomla, one of the most common systems small businesses and nonprofits use to run their websites.

Both flaws are the same kind of problem, and it's a bad one. A page builder is the tool that lets you design a page by dragging boxes around instead of hand-coding it. To do its job, it has to let you upload things — images, icons, files. The mistake in both extensions was that the upload door was left unlocked: the software accepted uploaded files without checking whether the person was logged in and without checking what kind of file it was.

That means an attacker doesn't need your password, your admin account, or an insider. They just send your website a specially crafted request and drop a file of their choosing onto your server. The file they drop is usually a web shell — a small hidden program that lets them run commands on your web server as if they were sitting at the keyboard.

Security researchers watched real attacks against Page Builder CK (CVE-2026-56290) starting June 27, all aimed at planting exactly that kind of web shell. The SP Page Builder flaw (CVE-2026-48908) was hit as a zero-day — exploited in the wild before most people even knew it existed.

Why a web shell on your site is worse than it sounds

Owners often tell me, "It's just our website — it's not like it holds our accounting." I understand the instinct, but it's the wrong way to think about it. Once an attacker has a web shell on your server, your website stops being a brochure and becomes a launch pad. From there they can:

And most of this happens silently. A defaced homepage you'd notice in an hour. A web shell sitting quietly in an upload folder, harvesting your form submissions, can run for months. The average small business finds out when a customer calls asking why the site is warning them about malware — or when Google delists them.

This is part of a bigger pattern

The other two flaws CISA flagged this week tell the same story. One was a maximum-severity Adobe ColdFusion bug (CVE-2026-48282) that attackers began exploiting within hours of it being disclosed. Different products, same lesson: the software that runs your website and your web apps is now first in line for attack, and the window between "flaw announced" and "criminals exploiting it" has collapsed to hours. The days when you could patch "sometime this month" are over.

What this means for your business

If your website runs on Joomla — and a lot of small-business, association, and nonprofit sites across Texas still do — here's your week, in order:

1. Find out what page builder your site uses. If it's Page Builder CK or SP Page Builder, this is about you. If you don't know, that's a five-minute question for whoever built or maintains your site.

2. Update the extension today. Page Builder CK to 3.6.0+, SP Page Builder to 6.6.2+. If nobody can update it this week, have the extension disabled until it can be.

3. Don't stop at the page builder. Update Joomla's core and every extension. These two are the ones being hammered today, but outdated add-ons are the single most common way small-business sites get taken over.

4. Check whether you've already been hit. Look for files you don't recognize in your upload and media folders, and for unexpected admin accounts. If anything looks off, take the site offline and call someone before you touch it — you don't want to destroy the evidence.

5. Put someone in charge of website updates. Not "we'll get to it." A named person or a service, on a schedule.

If you want a quick outside read on where your public-facing footprint stands, our free Security Scoreboard is a good starting point.

How BVTech helps

For our managed clients, website and web-application patching is part of the deal — we track the vulnerabilities that hit the KEV list, and flaws like these get closed out fast, usually before the owner ever hears the CVE number. If you're not on a managed plan and you're not sure whether your Joomla site is exposed, that's exactly the kind of thing we check. Take a look at our cybersecurity solutions and managed IT services, or just book a quick call and we'll look at your site together.

A max-severity flaw in the tool you built your own website with is unnerving. But it's also one of the most fixable problems in this business — an update and a little vigilance close the door. Let's get it closed.

— Jordan Polasek · Founder, BVTech LLC