CVE-2026-48908

Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2

CVSS 10 CRITICALEPSS 0.7%CWE-284

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

Affected products

joomshaper.net · SP Page Builder extension for Joomla

public PoCs found — 5

githubgithub.com/papageo75/CVE-2026-48908-PoC★ 8 githubgithub.com/0xBlackash/CVE-2026-48908★ 1 githubgithub.com/webshellseo8/CVE-2026-48908-POC★ 0 githubgithub.com/gagaltotal/CVE-2026-48908-SP-Page-Builder-Joomla★ 0 githubgithub.com/ogenich/CVE-2026-48908★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/https://www.joomshaper.com/forum/question/45152 https://www.joomshaper.com/page-builder