Published Monday, July 13, 2026 at 01:35 PM PT

BLUF: CISA has confirmed active exploitation of remote code execution flaws in Joomla extensions. Organizations running affected Joomla installations must patch immediately. Federal agencies have been directed to prioritize remediation.
DETAILS:
- CISA added multiple Joomla extension vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation
- Affected extensions include Joomlack Page Builder and JoomShaper SP Page Builder; specific CVE identifiers and CVSS scores not provided in available reporting
- Vulnerabilities allow unauthenticated remote code execution on vulnerable Joomla installations
- Exploitation is occurring in active attacks; threat actors are leveraging these flaws against live targets
- Federal agencies received mandatory patching directives with urgent timelines per CISA protocol
IMPACT:
- Primary: Organizations operating Joomla CMS with vulnerable page builder extensions installed
- Scope: Potentially global; Joomla powers approximately 3% of all websites; page builder extensions are widely deployed
- Risk Level: Critical — RCE flaws enable complete system compromise, data theft, malware deployment, and lateral movement
- Secondary Risk: Compromised Joomla sites can serve as pivot points for supply chain attacks against downstream users
RECOMMENDED ACTIONS:
- Immediate (24 hours): Identify all Joomla installations in your environment and audit installed extensions against CISA’s KEV catalog
- Urgent (48 hours): Apply available patches for Joomlack Page Builder and JoomShaper SP Page Builder; if patches unavailable, disable affected extensions
- Concurrent: Review web server logs for exploitation attempts (look for suspicious POST requests to extension directories)
- Follow-up: Conduct vulnerability scans post-patching to confirm remediation
SOURCES:
- CISA Known Exploited Vulnerabilities Catalog (active listing)
- BleepingComputer reporting
- SecurityWeek reporting
- SecurityAffairs reporting
Note: Specific CVE identifiers and patch availability windows not confirmed in initial reporting. Check CISA.gov and official Joomla security channels for complete vulnerability details and patch status.
