CVE-2026-48908
published 2026-06-20CVE-2026-48908: A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.79%
51.5th percentile
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomshaper.net | sp_page_builder_extension_for_joomla | — | — |
| ollyo | sp_page_builder | < 6.6.2 | 6.6.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
ghsa_unreviewed·2026-06-20
CVE-2026-48908 [CRITICAL] CWE-284 A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
VulDB
joomshaper SP Page Builder extension for Joomla 1.0.0-6.6.1 on Joomla access control (EUVD-2026-38110)
vuldb·2026-06-20·CVSS 10.0
CVE-2026-48908 [CRITICAL] joomshaper SP Page Builder extension for Joomla 1.0.0-6.6.1 on Joomla access control (EUVD-2026-38110)
A vulnerability labeled as critical has been found in joomshaper SP Page Builder extension for Joomla 1.0.0-6.6.1 on Joomla. Affected is an unknown function of the component SP Page. Such manipulation leads to improper access controls.
This vulnerability is documented as CVE-2026-48908. The attack can be executed remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-20
Published