{
  "variant_id": "CVE-2026-56290-variant-survey-001",
  "created_at": "2026-07-05T10:49:12Z",
  "variant_summary": "Survey of alternate triggers/bypasses for the Page Builder CK unauthenticated arbitrary file upload to RCE. No bypass of the v3.6.0/3.6.1 fix found: the central CKController::execute() authorization check covers all non-display controller tasks, and ajaxAddPicture is the only sink accepting attacker-controlled file extensions. Alternate ajax endpoints (fonts.save, pixabay.upload, browse.ajaxCreateFolder, frontedition.createModule, ajaxParamsCall gadget) share the broader missing-authorization weakness on the vulnerable version but cannot deliver a .php web shell (forced safe extensions or DB-only writes).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "joomlack/page_builder_ck",
  "submitted_target": {
    "target_kind": "joomla_extension",
    "version": "3.6.1",
    "ref": "com_pagebuilderck free",
    "display": "Page Builder CK (com_pagebuilderck) v3.6.1 fixed"
  },
  "variant_target": {
    "target_kind": "joomla_extension",
    "version": "3.6.1",
    "ref": "com_pagebuilderck free",
    "display": "Page Builder CK (com_pagebuilderck) v3.6.1 fixed (tested)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "unauthenticated com_pagebuilderck controller task endpoint (index.php?option=com_pagebuilderck&task=<controller.task>)",
  "attacker_controlled_input": "unauthenticated HTTP POST uploading a PHP web shell (file, path, filename) and alternate form parameters for surveyed sinks",
  "trigger_path": "GET public page -> extract guest CSRF token -> POST to index.php?option=com_pagebuilderck&task=browse.ajaxAddPicture&<token>=1 -> access uploaded .php",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "CKFof::checkSecurity() in CKController::execute() (if ($task !== 'display') checkSecurity()) and per-method checkSecurity() calls",
  "file_path": "administrator/components/com_pagebuilderck/helpers/ckbrowse.php",
  "line_start": 205,
  "line_end": 322,
  "secondary_anchors": [
    {
      "file_path": "administrator/components/com_pagebuilderck/helpers/ckcontroller.php",
      "line_start": 230,
      "line_end": 232
    },
    {
      "file_path": "administrator/components/com_pagebuilderck/controllers/browse.php",
      "line_start": 38,
      "line_end": 47
    },
    {
      "file_path": "administrator/components/com_pagebuilderck/helpers/ckfof.php",
      "line_start": 50,
      "line_end": 58
    }
  ],
  "review_scope_paths": [
    "administrator/components/com_pagebuilderck/helpers/ckbrowse.php",
    "administrator/components/com_pagebuilderck/helpers/ckcontroller.php",
    "administrator/components/com_pagebuilderck/helpers/ckfof.php",
    "administrator/components/com_pagebuilderck/controllers/browse.php",
    "administrator/components/com_pagebuilderck/controllers/fonts.php",
    "administrator/components/com_pagebuilderck/controllers/pixabay.php",
    "administrator/components/com_pagebuilderck/controller.php",
    "administrator/components/com_pagebuilderck/helpers/pagebuilderck.php",
    "administrator/components/com_pagebuilderck/helpers/pagebuilderckfront.php",
    "administrator/components/com_pagebuilderck/helpers/loaders/folder.php",
    "site/pagebuilderck.php",
    "site/controllers/frontedition.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_evidence.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "phase_results": "bundle/vuln_variant/phase_results.json"
  }
}
