>samit_hota
Back to advisories
SH-2026-002CriticalOpen

JoomShaper SP Page Builder RCE: Critical Unauthenticated File Upload Actively Exploited

Samit Hota·
CVE ID
CVE-2026-48908
CVSS Score
9.8
Affected Products
JoomShaper SP Page Builder
#kev#joomshaper

Overview

A severe security vulnerability, identified as CVE-2026-48908, has been discovered in JoomShaper’s SP Page Builder, a widely used extension for the Joomla Content Management System. This flaw, dubbed “JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability,” carries a CVSS score of 9.8 (CRITICAL), underscoring its extreme severity and potential for widespread impact. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Organizations, particularly federal agencies, are under a strict deadline of July 10, 2026, to apply mitigations or discontinue use of affected products, in accordance with CISA’s Binding Operational Directive (BOD) 26-04.

Technical Details

The core of CVE-2026-48908 lies in the asset.uploadCustomIcon controller task within the SP Page Builder extension. This functionality, intended for uploading custom icons, suffers from a complete absence of authentication, authorization checks, and server-side file-type validation. This critical oversight allows any unauthenticated remote attacker to send a crafted HTTP POST request to the endpoint, bypassing security controls and uploading arbitrary files to web-accessible directories.

Specifically, attackers can upload malicious PHP scripts, commonly referred to as “webshells,” which are then stored in locations such as /media/com_sppagebuilder/assets/iconfont/ or other web-root-served directories. Once a PHP webshell is successfully uploaded, an attacker can simply browse to its URL, causing the web server to execute the malicious code under the privileges of the web server itself. This chain of events directly leads to remote code execution (RCE), granting attackers full control over the compromised Joomla site. The vulnerability affects all versions of SP Page Builder up to and including 6.6.1 and is tracked under CWE-434, “Unrestricted Upload of File with Dangerous Type.”

Real-World Impact

The active exploitation of CVE-2026-48908 presents a severe and immediate threat to a vast number of Joomla installations globally. Upon successful exploitation, attackers gain full control over the compromised server. Observed post-exploitation activities include the creation of hidden Joomla Super Administrator accounts, often with plausible-sounding names and email addresses ending in @secure.local, to maintain persistent access even if the initial entry point is patched.

Attackers have also been observed deploying persistent PHP file-manager backdoors (webshells) within web-accessible directories. These backdoors facilitate further malicious actions, such as stealing sensitive data, defacing websites, injecting SEO spam, redirecting legitimate users to malicious sites, or using the compromised server as a platform for launching attacks against other systems. The ability to upload and execute arbitrary PHP code without authentication makes this vulnerability extremely valuable to opportunistic attackers, turning affected websites into prime targets for various forms of cybercrime.

Threat Landscape

The inclusion of CVE-2026-48908 in CISA’s KEV catalog on July 7, 2026, is a definitive indicator of its active exploitation in the wild. Cybersecurity firms like IONIX, mySites.guru, and SentinelOne have independently confirmed and analyzed the ongoing attacks. While specific named threat actor groups have not been publicly attributed to the exploitation of this CVE, the nature of the vulnerability—unauthenticated RCE in a popular CMS extension—makes it highly attractive to a wide array of opportunistic attackers.

Reports suggest that exploitation attempts often involve automated bots. One specific attack attempt was traced to an IP address geolocated in India. The pervasive use of Joomla across small businesses, non-profits, and community websites implies a broad and diverse victim pool. The consistent pattern of post-exploitation activity, including the establishment of hidden Super Administrator accounts and the deployment of webshells, points to a common set of attack tools and methodologies being employed by malicious actors.

Remediation

The most critical and immediate action required is to upgrade JoomShaper SP Page Builder to version 6.6.2 or later. This version contains the necessary fixes to address the unrestricted file upload vulnerability. Organizations must prioritize this update, especially considering the CISA KEV deadline of July 10, 2026.

Beyond immediate patching, a thorough audit for compromise is essential. Merely updating the extension will not remove any malicious files or backdoors already planted on the server. Administrators should:

  • Check for Rogue Administrator Accounts: Review the Joomla Users list (Users > Manage in the admin backend) for any Super Administrator accounts that were not legitimately created, particularly those with @secure.local email addresses.
  • Scan for Malicious Files: Inspect web directories, especially /media/com_sppagebuilder/assets/iconfont/, /images, /media, /templates, and /administrator, for any unrecognized or suspicious PHP files (webshells). Remove any identified malicious files.
  • Review Logs: Examine web server access logs for unsolicited POST requests to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon from external hosts, which could indicate prior exploitation attempts.
  • Implement Network-Level Controls: Where immediate patching is not possible, consider restricting external HTTP access to the Joomla administrator backend at the network or web-server level, perhaps using a Web Application Firewall (WAF) or .htaccess rules, to reduce the attack surface.
  • Harden File Permissions: Enforce stringent file permissions to prevent the execution of PHP scripts in known upload directories.
  • Rotate Credentials: If compromise is suspected or confirmed, rotate all relevant credentials, particularly for administrator accounts and any database or API keys that may have been exposed.
  • Rebuild if Integrity Cannot Be Validated: If the integrity of the server cannot be fully validated after a compromise, consider rebuilding the system from a known-good backup, ensuring forensic evidence is preserved if required.

Failure to address CVE-2026-48908 promptly and comprehensively leaves Joomla sites vulnerable to full compromise, posing significant operational and data security risks.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call