CVE-2026-48908 CRITICAL

CVE-2026-48908: Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2

Vendor Joomshaper.net
Product SP Page Builder extension for Joomla
Weakness CWE-434 · Unrestricted file upload
KEV Status Known Exploited
Published June 20, 2026
Last update July 8, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

What the vulnerability does

01Description

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

Explanation of Vulnerability in Simple Terms

02Summary

SP Page Builder for Joomla contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files to the server over the network. An attacker can upload malicious files without authentication or user interaction, potentially leading to remote code execution. This affects versions 1.0.0 through 6.6.1.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to the server without authentication, potentially executing malicious code.

Potential impact on your site

04Site Impact

Attackers can upload and execute malicious code on your site, compromising all data and site functionality.

Conditions required to exploit

05Prerequisites

Network access to the Joomla site; no authentication or user interaction required.

CISA mandated remediation

06CISA Required Action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Key dates

07Disclosure timeline

June 20, 2026 CVE published
July 8, 2026 Record updated

External resources

08References

Related vulnerabilities

09Related CVE