A critical unrestricted file upload flaw in JoomShaper's SP Page Builder for Joomla lets unauthenticated attackers upload and execute arbitrary PHP code, and CISA confirms it is under active exploitation.
What Is It
CVE-2026-48908 is an unrestricted upload of a file with a dangerous type (CWE-434) in JoomShaper SP Page Builder, a page-building extension for Joomla. The vulnerability allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code on the affected server. It carries an NVD CVSS 3.1 base score of 9.8 (CRITICAL) and a secondary CVSS 4.0 score of 10.0 (CRITICAL), with a network attack vector, low attack complexity, and no privileges or user interaction required.
Why It Matters
Successful exploitation gives an unauthenticated remote attacker the ability to run PHP code, yielding high confidentiality, integrity, and availability impact on the compromised system. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild; NVD's SSVC assessment likewise marks exploitation as "active," automatable "yes," and technical impact "total." The CVSS 4.0 exploit maturity is rated "ATTACKED." Known ransomware campaign use is currently listed as "Unknown."
What's Vulnerable
The affected product is the SP Page Builder extension for Joomla. Per NVD, versions 1.0.0 through 6.6.1 are affected, and the fix is present starting in version 6.6.2 (configuration data lists versions before 6.6.2 as vulnerable).
Patch Status
CISA's required action: apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 (Prioritizing Security Updates Based on Risk) guidance and CISA's "Forensics Triage Requirements." Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and adhering to BOD 26-04 patching guidelines. The vulnerability was added to the KEV catalog on 2026-07-07 with a due date of 2026-07-10. NVD version data indicates fixes are available in SP Page Builder 6.6.2.
Sources
- CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908
- NVD, CVE-2026-48908, https://nvd.nist.gov/vuln/detail/CVE-2026-48908
- CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- JoomShaper SP Page Builder (product), https://www.joomshaper.com/page-builder
- Joomla Extensions Directory; https://extensions.joomla.org/extension/sp-page-builder/