What is JoomShaper SP Page Builder?
SP Page Builder is a popular drag-and-drop page-building extension for the Joomla content management system, used by site owners to visually construct pages without writing template code. As with many Joomla extensions, it registers its own controller tasks that are reachable directly via Joomla's index.php?option=com_sppagebuilder&task=... routing — meaning any authorization gap in one of those tasks is directly exposed to the internet on every site running the extension.
Overview
JoomShaper SP Page Builder contains an unrestricted file upload vulnerability in its asset.uploadCustomIcon controller task, reachable via index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. The task performed no authentication or authorization check at all, and no server-side file-type validation — allowing any anonymous visitor to POST a multipart/form-data request containing a PHP payload disguised as an icon file. The uploaded file lands in a web-accessible directory and can then be executed via a simple follow-up GET request, yielding full remote code execution with no authentication required.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| JoomShaper SP Page Builder | Up to and including 6.6.1 | 6.6.2 |
Version 6.6.2, released June 14, 2026, gates the uploadCustomIcon task behind authentication, requires component-manage permission, and enforces a CSRF token. Note: a JoomShaper community forum thread reports that a related issue in IconsTrait.php may not have been fully addressed by 6.6.2 — administrators should monitor for further vendor guidance.
Technical Details
- Root cause: Missing authentication and authorization check combined with missing file-extension/content-type validation on a file-upload controller task (CWE-434: Unrestricted Upload of File with Dangerous Type).
- Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical). - Attack characteristics: A single unauthenticated POST request uploads the malicious file; a single unauthenticated GET request executes it. No chaining with other vulnerabilities is required.
- Impact: Full remote code execution in the context of the web server process, with corresponding high confidentiality, integrity, and availability impact.
Discovery
Credited to Phil Taylor of mySites.guru, whose team monitors file changes across a large base of Joomla sites and traced live compromises back to this endpoint.
Exploitation Context
Actively exploited in the wild; CISA added this CVE to the KEV catalog on July 7, 2026 alongside CVE-2026-56290 (Joomlack Page Builder), a nearly identical unauthenticated file-upload flaw in a different Joomla page-builder extension. Both were discovered independently by mySites.guru via client-forwarded access logs showing live compromise, rather than proactive research — a pattern that repeats across four Joomla extension CVEs in this KEV batch (see also CVE-2026-48939 and CVE-2026-56291). No specific threat-actor name or exposure/Shodan count has been published for this CVE.
Remediation
- Update SP Page Builder to 6.6.2 or later immediately.
- Monitor for further vendor patches given community reports that a related
IconsTrait.phpissue may not be fully resolved in 6.6.2. - Audit the site's
images//upload directories for unexpected PHP files that may have been planted before patching. - Review web server access logs for POST requests to
task=asset.uploadCustomIcon, particularly from unauthenticated or unexpected source IPs. - Restrict direct PHP execution in upload directories at the web server level (e.g., via
.htaccessor nginx location rules) as defense-in-depth against this class of vulnerability. - Follow CISA BOD 26-04 guidance given the July 10, 2026 remediation deadline.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-48908 |
| Vendor / Product | JoomShaper — SP Page Builder |
| NVD Published | 2026-06-20 |
| NVD Last Modified | 2026-07-08 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2026-07-07 |
| CISA KEV Deadline | 2026-07-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-14 | JoomShaper releases SP Page Builder 6.6.2 fixing the flaw |
| 2026-07-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-48908 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| SP Page Builder — Joomla Extensions Directory Listing | Vendor |
| mySites.guru — SP Page Builder zero-day uploadCustomIcon RCE | Security Research |
| Threat-Modeling.com — Joomla page builder CVEs added to CISA KEV | Security Research |
| BleepingComputer — CISA warns of actively exploited RCE flaws in Joomla extensions | News |