CVE-2026-48908
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability - [Actively Exploited]
Description
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
INFO
Published Date :
June 20, 2026, 1:16 p.m.
Last Modified :
July 8, 2026, 1:57 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
JoomShaper SP Page Builder contains an unrestricted upload of file with dangerous type vulnerability that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Unknown
https://extensions.joomla.org/extension/sp-page-builder/ ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-48908
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | 6ff30186-7fb7-4ad9-be33-533e7b05e586 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update SP Page Builder to the latest version.
- Remove any uploaded malicious files.
- Review file upload configurations.
Public PoC/Exploit Available at Github
CVE-2026-48908 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-48908.
| URL | Resource |
|---|---|
| https://www.joomshaper.com/page-builder | Product |
| https://extensions.joomla.org/extension/sp-page-builder/ | Product |
| https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 | US Government Resource |
| https://www.joomshaper.com/forum/question/45152 | Issue Tracking |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-48908 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-48908
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Laboratory validation of CVE-2026-48908 in Joomla SP Page Builder, covering unauthorized icon upload, PHP file write, code execution as www-data, auditd and PCAP evidence, event timeline reconstruction, and SOC detection recommendations. Includes Polish and English reports.
Fonte de pesquisa sobre cybersegurança em notebook LM, ao qual foi incluído bases de consulta-lo sobre duvidas sobre cybersegurança, vulnerabilidades e técnicas de ataques.
None
Python
None
Python PHP
CVE-2026-48908 — PoC exploit for unauthenticated RCE in SP Page Builder (Joomla) via arbitrary file upload. Multi‑threaded, case‑bypass, shell verification. For authorized security testing only.
cve-2026-48908 exploit file-upload joomla joomshaper pentest rce security sp-page-builder unauthenticated vulnerability
Python
None
Python
Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.
Python
CVE-2026-48908
Python
Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.
cve-2026-48908 joomla joomla-rce sp-page-builder
Python
CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE
cve cve-scanning cve-search go golang golang-cli joomla joomla-cms joomla-extensions joomla-plugin
Go
Unauthenticated RCE PoC for CVE-2026-48908 — SP Page Builder for Joomla (≤ 6.6.1): arbitrary file upload via asset.uploadCustomIcon. Self-cleaning, token-guarded. Authorized testing only.
arbitrary-file-upload exploit joomla penetration-testing poc proof-of-concept rce remote-code-execution sp-page-builder sppagebuilder unauthenticated vulnerability web-security cve-2026-48908
Python
None
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-48908 vulnerability anywhere in the article.
-
security.nl
Joomla-websites aangevallen via kritieke lekken in page builder-extensies
Joomla-websites worden actief aangevallen via twee kritieke kwetsbaarheden in page builder-extensies voor het platform, zo meldt het Amerikaanse cyberagentschap CISA. Via de beveiligingslekken in Page ... Read more
-
The Hacker News
CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The ... Read more
-
The Hacker News
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories ... Read more
The following table lists the changes that have been made to the
CVE-2026-48908 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Jul. 08, 2026
Action Type Old Value New Value Added Reference Type CISA-ADP: https://extensions.joomla.org/extension/sp-page-builder/ Types: Product Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 08, 2026
Action Type Old Value New Value Changed SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T17:45:05.067417Z'} {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T00:00:00+00:00'} -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 07, 2026
Action Type Old Value New Value Added Reference https://extensions.joomla.org/extension/sp-page-builder/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 Changed SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-22T17:30:39.061979Z'} {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T17:45:05.067417Z'} -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 07, 2026
Action Type Old Value New Value Added Date Added 2026-07-07 Added Due Date 2026-07-07 Added Required Action 2026-07-07 Added Vulnerability Name 2026-07-07 -
CVE Modified by [email protected]
Jul. 05, 2026
Action Type Old Value New Value Added CWE CWE-434 Removed CWE CWE-284 -
Initial Analysis by [email protected]
Jun. 30, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-434 Added CPE Configuration OR *cpe:2.3:a:ollyo:sp_page_builder:*:*:*:*:-:joomla!:*:* versions up to (excluding) 6.6.2 Added Reference Type Joomla! Project: https://www.joomshaper.com/page-builder Types: Product Added Reference Type CISA-ADP: https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ Types: Third Party Advisory Added Reference Type CISA-ADP: https://www.joomshaper.com/forum/question/45152 Types: Issue Tracking -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 24, 2026
Action Type Old Value New Value Added Reference https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ Added Reference https://www.joomshaper.com/forum/question/45152 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 22, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-22T17:30:39.061979Z'} -
CVE Modified by [email protected]
Jun. 21, 2026
Action Type Old Value New Value Changed Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution. A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. -
New CVE Received by [email protected]
Jun. 20, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'joomshaper.net', 'product': 'SP Page Builder extension for Joomla', 'versions': [{'status': 'affected', 'version': '1.0.0-6.6.1'}], 'defaultStatus': 'unaffected'}] Added Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red Added CWE CWE-284 Added Reference https://www.joomshaper.com/page-builder