Vulnerability Description
CVE-2026-48908 is a critical flaw in the custom icon upload feature of SP Page Builder, JoomShaper’s page-builder extension for Joomla. The upload task is reachable without authentication, accepts attacker-controlled archive contents, and writes the extracted files under the web root. On servers that allow uploaded PHP content to run from that location, this gives remote attackers a path from unauthenticated upload to code execution. That pre-authentication path to server-side execution is why the Joomla! Project CNA scored it at the top of the CVSS 4.0 scale: 10.0 critical.
The vulnerable endpoint is the SP Page Builder custom icon upload task. Although the public PoC documents a path to code execution on common Apache/PHP configurations, preventing PHP execution in upload and media directories may limit the immediate impact to unauthenticated file write.
| Field | Description |
| CVE-ID | CVE-2026-48908 — CVSS v4 10 (critical) — assigned by Joomla! Project |
| Vulnerability Description | CVE-2026-48908 is a critical flaw in the custom icon upload feature of SP Page Builder, JoomShaper’s page-builder extension for Joomla. The upload task is reachable without authentication, accepts attacker-controlled archive contents, and writes the extracted files under the web root. On servers that allow uploaded PHP content to run from that location, this gives remote attackers a path from unauthenticated upload to code execution. That pre-authentication path to server-side execution is why the Joomla! Project CNA scored it at the top of the CVSS 4.0 scale: 10.0 critical. |
| Date of Disclosure | June 20, 2026 |
| Affected Assets | SP Page Builder for Joomla |
| Vulnerable Software Versions | Versions 1.0.0 through 6.6.1 are affected, per the GHSA/CNA advisory. |
| PoC Available | Yes. A public proof-of-concept exploit has been published on GitHub. |
| Exploitation Status | Active exploitation has been reported by multiple sources. On JoomShaper’s official support forum, multiple site operators independently reported compromised Joomla sites, and JoomShaper acknowledged the flaw and shipped an emergency fix (6.6.2). Reporters describe a consistent pattern: unauthenticated POST requests to the asset.uploadCustomIcon task, PHP payloads written under /media/com_sppagebuilder/assets/iconfont/, and rogue Joomla Super User accounts using @secure.local email addresses. |
| Patch Status | Patched in SP Page Builder 6.6.2. |
Censys ARC Perspective
194,793 web properties load the SP Page Builder component (its assets under /components/com_sppagebuilder/). Censys can see that the component is installed and the server and runtime software each server advertises, but it cannot remotely confirm the installed version or whether PHP would execute from the upload location.
Server and runtime software advertised in HTTP response headers across the installed population, shown separately for web properties and hosts. Rows are not mutually exclusive, so there is some overlap.
| Server / runtime | Web properties (of 194,793) | Hosts (of 3,080) |
|---|---|---|
| Apache | 93,649 (48%) | 2,281 (74%) |
| LiteSpeed | 14,912 (8%) | 113 (4%) |
| nginx | 44,905 (23%) | 704 (23%) |
| openresty | 3,912 (2%) | 146 (5%) |
| Microsoft-IIS | 1,071 (<1%) | 57 (2%) |
| PHP (X-Powered-By) | 59,969 (31%) | 993 (32%) |
Ahead of this advisory, the Censys Rapid Response team notified potentially affected customers found to have Internet-facing SP Page Builder instances so they could begin remediation.
web.endpoints.http.body: "com_sppagebuilder" or host.services.endpoints.http.body: "com_sppagebuilder"
host.services.http.response.body: "com_sppagebuilder" or web_entity.instances.http.response.body: "com_sppagebuilder"
services.http.response.body: "com_sppagebuilder"
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-48908
- https://www.joomshaper.com/page-builder
- https://github.com/papageo75/CVE-2026-48908-PoC
- https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/
- https://github.com/github/advisory-database/blob/main/advisories/unreviewed/2026/06/GHSA-8fwr-8fxr-8v2p/GHSA-8fwr-8fxr-8v2p.json