Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

Back
New CVE Detected

CVE-2026-48908 – Unauthenticated File Upload Leading to RCE – SP Page Builder for Joomla (up to 6…

Be the first to know when new zero-days emerge:

Subscribe to Email Alerts
Subscribe to RSS Feed

Summary

CVE-2026-48908 is a maximum-severity unauthenticated remote code execution (RCE) vulnerability in the SP Page Builder extension for Joomla, affecting all versions up to and including 6.6.1. A complete absence of authentication and file-type validation on the component’s icon-upload controller allows any unauthenticated remote attacker to upload an arbitrary PHP file to the web root and execute it immediately. The vulnerability carries a CVSS 4.0 score of 10.0 and is being actively exploited in the wild at the time of this publication.

Technical details

  • Root cause: The asset.uploadCustomIcon controller task in SP Page Builder performed no authentication or authorization checks and applied no server-side file-type validation, allowing unauthenticated HTTP requests to write arbitrary files—including PHP scripts—to web-accessible directories (CWE-284: Improper Access Control).
  • Trigger conditions: No authentication, special configuration, or user interaction is required. Any Joomla installation with SP Page Builder installed and enabled up to version 6.6.1 is vulnerable in its default state.
  • Attack vector: A remote, unauthenticated HTTP POST request to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. The attack is fully automatable (CVSS 4.0 AU:Y) with no attack complexity (AC:L, AT:N).
  • Impact: Successful exploitation results in the upload and execution of PHP webshells, leading to full server compromise. Observed post-exploitation activity includes the creation of hidden Joomla Super Administrator accounts, deployment of persistent PHP file-manager backdoors under /media/com_sppagebuilder/assets/, and exposure of Joomla configuration files.

Affected software

  • SP Page Builder extension for Joomla, versions 1.0.0 through 6.6.1 (inclusive)

Severity

  • CVSS 4.0 Score: 10.0 (Critical)
  • CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
  • CWE: CWE-284 – Improper Access Control

Mitigation and recommended actions

  • Immediate action: Upgrade SP Page Builder to version 6.6.2 or later. Released June 14, 2026, version 6.6.2 gates the uploadCustomIcon controller behind an authenticated session, requires the user to hold admin or component-manage permission, and enforces a valid anti-CSRF token on the request.
  • If immediate upgrade is not possible: The vendor forum advisory notes that RsFirewall 3.3.7 includes a protective rule that mitigates exploitation of this vulnerability for sites unable to update immediately. Additionally, restricting external HTTP access to the Joomla administrator back-end at the network or web-server level reduces the attack surface while a maintenance window is arranged.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report
Close

Subscribe to Threat Center RSS

Copy/paste the link below into your preferred RSS reader or follow these instructions to subscribe to Slack alerts.

Open RSS feedSlack setup instructions

Close

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge