Four separate Joomla extensions landed on CISA’s Known Exploited Vulnerabilities catalog inside a ten day window in early July 2026, and every one of them fails in exactly the same way. SP Page Builder (CVE-2026-48908) and Page Builder CK, also tracked as PageBuilder CK (CVE-2026-56290), were added on July 7. iCagenda (CVE-2026-48939) and Balbooa Forms (CVE-2026-56291) followed on July 10. All four are unauthenticated file upload vulnerabilities: an attacker with no credentials at all can upload a PHP file through the extension’s own endpoint, choose where it lands, and execute it, gaining full remote code execution on the underlying server. SP Page Builder and Page Builder CK both carry a maximum CVSS 4.0 score of 10.0.
The pattern is the real story
Any one of these on its own would be a routine, if serious, patch advisory. Four of them landing within ten days, sharing an identical vulnerability class, across extensions that between them run on a large share of small business, agency, and public sector Joomla sites, points to something closer to a coordinated wave of scanning and exploitation against the Joomla extension ecosystem rather than four unrelated coincidences. Security researchers observed a live web shell planted on a connected Joomla site through the Page Builder CK flaw within hours of the fix becoming public, which tells you how fast these get weaponised once details circulate, patched or not.
What each one actually requires
SP Page Builder needs an update to 6.6.2 or later; every version up to and including 6.6.1 is affected. Page Builder CK is fixed in 3.5.11, with every version through 3.5.10 vulnerable. iCagenda was patched at 4.0.8 for the current branch and 3.9.15 for the legacy branch, both released in mid-June, meaning some sites have already had a month to apply it and may still be running the old version. Balbooa Forms, the com_baforms component, is fixed in 2.4.1, with 2.4.0 and earlier exposed. None of these require authentication to exploit, and none of them are exotic edge cases: file upload handlers on public-facing website builders are exactly the kind of endpoint mass scanners probe constantly.
Why Joomla site owners in particular need to act
Joomla remains widely used across European small businesses, municipalities, and membership organisations, often set up years ago by a developer who has since moved on, with extensions nobody has revisited since installation. That is precisely the profile these vulnerabilities target: sites running an outdated page builder or event calendar plugin that quietly does its job until an unauthenticated attacker uses it as a foothold to plant a web shell, pivot into hosting infrastructure, or add the site to a botnet.
What to do now
Inventory every third-party extension running on your Joomla installations, not just the core CMS version, and check each one against the current patched versions above. If you cannot confirm an extension has been updated in the past month, assume it needs attention. Check for unexpected PHP files in upload directories and unfamiliar admin accounts as a baseline compromise check, since scanning for these flaws has clearly already started. Where an extension is abandoned or no longer maintained, plan its replacement rather than leaving it as a permanent unpatched attack surface.
If you manage a Joomla site and are not confident every extension is current, or you want a proper security audit of your CMS estate before the next wave of scanning finds it first, contact Excello Digital. We help European businesses keep ageing CMS deployments patched, monitored, and off attackers’ target lists.
