Known Exploited Vulnerability
10.0
CRITICAL CVSS 4.0
CVE-2026-48908
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability - [Actively Exploited]
Description

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

INFO

Published Date :

June 20, 2026, 1:16 p.m.

Last Modified :

July 8, 2026, 1:57 p.m.

Remotely Exploit :

Yes !
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

JoomShaper SP Page Builder contains an unrestricted upload of file with dangerous type vulnerability that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

Required Action :

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Known Ransomware Campaign Use:

Unknown

Notes :

https://extensions.joomla.org/extension/sp-page-builder/ ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-48908

Affected Products

The following products are affected by CVE-2026-48908 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Ollyo sp_page_builder
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 CRITICAL [email protected]
CVSS 4.0 CRITICAL 6ff30186-7fb7-4ad9-be33-533e7b05e586
CVSS 4.0 CRITICAL [email protected]
Solution
Update SP Page Builder to the latest version to fix arbitrary file upload and PHP execution vulnerabilities.
  • Update SP Page Builder to the latest version.
  • Remove any uploaded malicious files.
  • Review file upload configurations.
Public PoC/Exploit Available at Github

CVE-2026-48908 has a 14 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-48908.

URL Resource
https://www.joomshaper.com/page-builder Product
https://extensions.joomla.org/extension/sp-page-builder/ Product
https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 US Government Resource
https://www.joomshaper.com/forum/question/45152 Issue Tracking
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-48908 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-48908 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 1 day, 8 hours ago
0 stars 0 fork 0 watcher
Born at : July 9, 2026, 8:45 p.m. This repo has been linked 5 different CVEs too.

Laboratory validation of CVE-2026-48908 in Joomla SP Page Builder, covering unauthorized icon upload, PHP file write, code execution as www-data, auditd and PCAP evidence, event timeline reconstruction, and SOC detection recommendations. Includes Polish and English reports.

Updated: 1 day, 9 hours ago
0 stars 0 fork 0 watcher
Born at : July 9, 2026, 8:42 p.m. This repo has been linked 1 different CVEs too.

Fonte de pesquisa sobre cybersegurança em notebook LM, ao qual foi incluído bases de consulta-lo sobre duvidas sobre cybersegurança, vulnerabilidades e técnicas de ataques.

Updated: 1 day, 13 hours ago
0 stars 0 fork 0 watcher
Born at : July 9, 2026, 4:06 p.m. This repo has been linked 8 different CVEs too.

None

Python

Updated: 1 day, 2 hours ago
0 stars 0 fork 0 watcher
Born at : July 9, 2026, 3:01 p.m. This repo has been linked 1 different CVEs too.

None

Python PHP

Updated: 15 hours, 56 minutes ago
0 stars 0 fork 0 watcher
Born at : July 8, 2026, 9:25 p.m. This repo has been linked 22 different CVEs too.

CVE-2026-48908 — PoC exploit for unauthenticated RCE in SP Page Builder (Joomla) via arbitrary file upload. Multi‑threaded, case‑bypass, shell verification. For authorized security testing only.

cve-2026-48908 exploit file-upload joomla joomshaper pentest rce security sp-page-builder unauthenticated vulnerability

Python

Updated: 4 days, 1 hour ago
0 stars 0 fork 0 watcher
Born at : July 7, 2026, 1:31 a.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 5 days, 16 hours ago
0 stars 0 fork 0 watcher
Born at : July 5, 2026, 2:09 p.m. This repo has been linked 1 different CVEs too.

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

Python

Updated: 1 week, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 28, 2026, 11:54 p.m. This repo has been linked 1 different CVEs too.

CVE-2026-48908

Python

Updated: 2 weeks, 2 days ago
1 stars 0 fork 0 watcher
Born at : June 24, 2026, 11:33 p.m. This repo has been linked 1 different CVEs too.

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

cve-2026-48908 joomla joomla-rce sp-page-builder

Python

Updated: 2 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : June 24, 2026, 12:23 p.m. This repo has been linked 1 different CVEs too.

CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE

cve cve-scanning cve-search go golang golang-cli joomla joomla-cms joomla-extensions joomla-plugin

Go

Updated: 2 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : June 24, 2026, 8:31 a.m. This repo has been linked 1 different CVEs too.

Unauthenticated RCE PoC for CVE-2026-48908 — SP Page Builder for Joomla (≤ 6.6.1): arbitrary file upload via asset.uploadCustomIcon. Self-cleaning, token-guarded. Authorized testing only.

arbitrary-file-upload exploit joomla penetration-testing poc proof-of-concept rce remote-code-execution sp-page-builder sppagebuilder unauthenticated vulnerability web-security cve-2026-48908

Python

Updated: 2 weeks, 1 day ago
11 stars 2 fork 2 watcher
Born at : June 22, 2026, 9:31 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 21, 2026, 9:22 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 13, 2026, 1:43 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-48908 vulnerability anywhere in the article.

  • security.nl
Joomla-websites aangevallen via kritieke lekken in page builder-extensies

Joomla-websites worden actief aangevallen via twee kritieke kwetsbaarheden in page builder-extensies voor het platform, zo meldt het Amerikaanse cyberagentschap CISA. Via de beveiligingslekken in Page ... Read more

Published Date: Jul 08, 2026 (2 days, 21 hours ago)
  • The Hacker News
CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The ... Read more

Published Date: Jul 08, 2026 (3 days ago)
  • The Hacker News
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories ... Read more

Published Date: Jul 02, 2026 (1 week, 1 day ago)

The following table lists the changes that have been made to the CVE-2026-48908 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Jul. 08, 2026

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://extensions.joomla.org/extension/sp-page-builder/ Types: Product
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jul. 08, 2026

    Action Type Old Value New Value
    Changed SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T17:45:05.067417Z'} {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T00:00:00+00:00'}
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jul. 07, 2026

    Action Type Old Value New Value
    Added Reference https://extensions.joomla.org/extension/sp-page-builder/
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908
    Changed SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-22T17:30:39.061979Z'} {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-07-07T17:45:05.067417Z'}
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 07, 2026

    Action Type Old Value New Value
    Added Date Added 2026-07-07
    Added Due Date 2026-07-07
    Added Required Action 2026-07-07
    Added Vulnerability Name 2026-07-07
  • CVE Modified by [email protected]

    Jul. 05, 2026

    Action Type Old Value New Value
    Added CWE CWE-434
    Removed CWE CWE-284
  • Initial Analysis by [email protected]

    Jun. 30, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-434
    Added CPE Configuration OR *cpe:2.3:a:ollyo:sp_page_builder:*:*:*:*:-:joomla!:*:* versions up to (excluding) 6.6.2
    Added Reference Type Joomla! Project: https://www.joomshaper.com/page-builder Types: Product
    Added Reference Type CISA-ADP: https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ Types: Third Party Advisory
    Added Reference Type CISA-ADP: https://www.joomshaper.com/forum/question/45152 Types: Issue Tracking
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 24, 2026

    Action Type Old Value New Value
    Added Reference https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/
    Added Reference https://www.joomshaper.com/forum/question/45152
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 22, 2026

    Action Type Old Value New Value
    Added SSVC {'id': 'CVE-2026-48908', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-22T17:30:39.061979Z'}
  • CVE Modified by [email protected]

    Jun. 21, 2026

    Action Type Old Value New Value
    Changed Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution. A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
  • New CVE Received by [email protected]

    Jun. 20, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'joomshaper.net', 'product': 'SP Page Builder extension for Joomla', 'versions': [{'status': 'affected', 'version': '1.0.0-6.6.1'}], 'defaultStatus': 'unaffected'}]
    Added Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
    Added CWE CWE-284
    Added Reference https://www.joomshaper.com/page-builder
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.