CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-48908

JoomShaper SP Page Builder — Unauthenticated uploadCustomIcon Task Enables PHP Web Shell Upload

What is JoomShaper SP Page Builder?

SP Page Builder is a popular drag-and-drop page-building extension for the Joomla content management system, used by site owners to visually construct pages without writing template code. As with many Joomla extensions, it registers its own controller tasks that are reachable directly via Joomla's index.php?option=com_sppagebuilder&task=... routing — meaning any authorization gap in one of those tasks is directly exposed to the internet on every site running the extension.

Overview

JoomShaper SP Page Builder contains an unrestricted file upload vulnerability in its asset.uploadCustomIcon controller task, reachable via index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. The task performed no authentication or authorization check at all, and no server-side file-type validation — allowing any anonymous visitor to POST a multipart/form-data request containing a PHP payload disguised as an icon file. The uploaded file lands in a web-accessible directory and can then be executed via a simple follow-up GET request, yielding full remote code execution with no authentication required.

Affected Versions

Product Vulnerable Versions Fixed Versions
JoomShaper SP Page Builder Up to and including 6.6.1 6.6.2

Version 6.6.2, released June 14, 2026, gates the uploadCustomIcon task behind authentication, requires component-manage permission, and enforces a CSRF token. Note: a JoomShaper community forum thread reports that a related issue in IconsTrait.php may not have been fully addressed by 6.6.2 — administrators should monitor for further vendor guidance.

Technical Details

  • Root cause: Missing authentication and authorization check combined with missing file-extension/content-type validation on a file-upload controller task (CWE-434: Unrestricted Upload of File with Dangerous Type).
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical).
  • Attack characteristics: A single unauthenticated POST request uploads the malicious file; a single unauthenticated GET request executes it. No chaining with other vulnerabilities is required.
  • Impact: Full remote code execution in the context of the web server process, with corresponding high confidentiality, integrity, and availability impact.

Discovery

Credited to Phil Taylor of mySites.guru, whose team monitors file changes across a large base of Joomla sites and traced live compromises back to this endpoint.

Exploitation Context

Actively exploited in the wild; CISA added this CVE to the KEV catalog on July 7, 2026 alongside CVE-2026-56290 (Joomlack Page Builder), a nearly identical unauthenticated file-upload flaw in a different Joomla page-builder extension. Both were discovered independently by mySites.guru via client-forwarded access logs showing live compromise, rather than proactive research — a pattern that repeats across four Joomla extension CVEs in this KEV batch (see also CVE-2026-48939 and CVE-2026-56291). No specific threat-actor name or exposure/Shodan count has been published for this CVE.

Remediation

  1. Update SP Page Builder to 6.6.2 or later immediately.
  2. Monitor for further vendor patches given community reports that a related IconsTrait.php issue may not be fully resolved in 6.6.2.
  3. Audit the site's images//upload directories for unexpected PHP files that may have been planted before patching.
  4. Review web server access logs for POST requests to task=asset.uploadCustomIcon, particularly from unauthenticated or unexpected source IPs.
  5. Restrict direct PHP execution in upload directories at the web server level (e.g., via .htaccess or nginx location rules) as defense-in-depth against this class of vulnerability.
  6. Follow CISA BOD 26-04 guidance given the July 10, 2026 remediation deadline.

Key Details

PropertyValue
CVE ID CVE-2026-48908
Vendor / Product JoomShaper — SP Page Builder
NVD Published2026-06-20
NVD Last Modified2026-07-08
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-434 find similar ↗
CISA KEV Added2026-07-07
CISA KEV Deadline2026-07-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-10. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-14JoomShaper releases SP Page Builder 6.6.2 fixing the flaw
2026-07-07Added to CISA Known Exploited Vulnerabilities catalog
2026-07-10CISA BOD 22-01 remediation deadline