SYS::ONLINE
Wasteland.
Briefs1125
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48908 2026-07-07

CVE-2026-48908: Critical Unauthenticated File Upload in JoomShaper SP Page Builder

"A critical unrestricted file upload flaw in JoomShaper's SP Page Builder for Joomla lets unauthenticated attackers upload and execute arbitrary PHP code, and CISA confirms it is under active exploitation."

A critical unrestricted file upload flaw in JoomShaper's SP Page Builder for Joomla lets unauthenticated attackers upload and execute arbitrary PHP code, and CISA confirms it is under active exploitation.

What Is It

CVE-2026-48908 is an unrestricted upload of a file with a dangerous type (CWE-434) in JoomShaper SP Page Builder, a page-building extension for Joomla. The vulnerability allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code on the affected server. It carries an NVD CVSS 3.1 base score of 9.8 (CRITICAL) and a secondary CVSS 4.0 score of 10.0 (CRITICAL), with a network attack vector, low attack complexity, and no privileges or user interaction required.

Why It Matters

Successful exploitation gives an unauthenticated remote attacker the ability to run PHP code, yielding high confidentiality, integrity, and availability impact on the compromised system. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild; NVD's SSVC assessment likewise marks exploitation as "active," automatable "yes," and technical impact "total." The CVSS 4.0 exploit maturity is rated "ATTACKED." Known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

The affected product is the SP Page Builder extension for Joomla. Per NVD, versions 1.0.0 through 6.6.1 are affected, and the fix is present starting in version 6.6.2 (configuration data lists versions before 6.6.2 as vulnerable).

Patch Status

CISA's required action: apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 (Prioritizing Security Updates Based on Risk) guidance and CISA's "Forensics Triage Requirements." Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and adhering to BOD 26-04 patching guidelines. The vulnerability was added to the KEV catalog on 2026-07-07 with a due date of 2026-07-10. NVD version data indicates fixes are available in SP Page Builder 6.6.2.

Sources