Critical
CVE-2026-48908
patched
SP Page Builder (Joomla) Unauthenticated File Upload RCE (CVE-2026-48908)
by Ashraf Zaryouh / 0xBlackash · 2026-06-30
CVSS
10.0/10
- Severity
- Critical
- CVE
- CVE-2026-48908
- Category
- web
- Affected product
- SP Page Builder extension for Joomla (joomshaper.net)
- Affected versions
- 1.0.0 through 6.6.1
- Disclosed
- 2026-06-30
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | Ashraf Zaryouh / 0xBlackash |
| CVE / Advisory | CVE-2026-48908 |
| Category | web |
| Severity | Critical |
| CVSS Score | 10.0 (CVSSv4, Joomla! Project CNA; AV:N/AC:L/AT:N/PR:N/UI:N) |
| Status | PoC |
| Tags | RCE, unauthenticated, file-upload, PHP-webshell, Joomla, CMS, access-control, Python, CVSS-10 |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | SP Page Builder extension for Joomla (joomshaper.net) |
| Versions Affected | 1.0.0 through 6.6.1 |
| Language / Platform | Python (PoC); PHP / Joomla (target) |
| Authentication Required | No (unauthenticated) |
| Network Access Required | Yes (HTTP/HTTPS) |
Summary
CVE-2026-48908 is a CVSS 10.0 unauthenticated remote code execution vulnerability in SP Page Builder, one of the most widely used Joomla page-builder extensions (joomshaper.net). The asset.uploadCustomIcon endpoint enforces no authentication, no authorisation, and no file-type restrictions, allowing any unauthenticated attacker to upload a crafted IcoMoon ZIP archive containing a PHP web shell. The uploaded shell is immediately accessible and provides full server-side code execution. Fixed in SP Page Builder 6.6.2.
Vulnerability Details
Root Cause
The com_sppagebuilder component exposes the asset.uploadCustomIcon task to unauthenticated HTTP requests. The handler:
- Does not check Joomla session tokens or user authentication state.
- Does not validate or restrict the file types within the uploaded ZIP archive.
- Extracts uploaded archive contents directly to the web root, making PHP files web-accessible.
CWE-284 (Improper Access Control).
Attack Steps
- Identify target running SP Page Builder 1.0.0 – 6.6.1.
- Create an IcoMoon-format ZIP archive containing a PHP web shell (e.g.,
cmd.php). - POST the archive to
/?option=com_sppagebuilder&task=asset.uploadCustomIcon. - The server extracts the ZIP; the PHP file lands in a web-accessible directory.
- Send HTTP GET/POST to the uploaded shell URL to execute arbitrary OS commands.
Impact
- Full unauthenticated remote code execution as the web server user.
- Database credential theft, lateral movement to backend systems.
- Persistent access via web shell survival across deployments.
- Administrative takeover of the Joomla instance.
Environment / Lab Setup
Target: Joomla CMS + SP Page Builder 1.0.0 – 6.6.1
Attacker: Python 3 with requests library
Proof of Concept
Run
| |
Expected Output
[*] Target: https://target.example.com
[*] Uploading malicious IcoMoon ZIP...
[+] Upload successful.
[+] Web shell accessible at: https://target.example.com/components/com_sppagebuilder/assets/icons/cmd.php
[*] Testing RCE: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] RCE confirmed.
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade SP Page Builder to 6.6.2 or later |
| Audit | Scan upload directories for unexpected PHP files; remove any found |
| WAF | Block POST requests to task=asset.uploadCustomIcon for unauthenticated users |
| Harden | Disable ZIP extraction into web-accessible directories at the server level |
References
| |