SP Page Builder unauth file upload (CVE-2026-48908) [PoC]
CVE-2026-48908
CVE-2026-48908: SP Page Builder for Joomla unauthenticated arbitrary file upload leads to PHP code execution (CVSS 10.0). Update to patched version or block /components/com_sppagebuilder/ uploads.
Actively exploited in the wild - CVE-2026-48908 is a critical unauthenticated arbitrary file upload in SP Page Builder for Joomla that lets attackers upload and execute PHP code on the server. No vendor patch is currently available; apply the mitigations below immediately.
Overview
CVE-2026-48908 affects the SP Page Builder component for Joomla (all versions prior to 5.2.6). The vulnerability resides in the file upload handler, which fails to validate user authentication and file type before storing uploaded content on the server. An attacker with network access to the Joomla instance can upload a malicious PHP file through the component’s media upload functionality, then access that file directly via the web root to achieve remote code execution.
The CVSS vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) yields a base score of 10.0 - the maximum possible severity. This reflects the complete lack of authentication requirements, low attack complexity, and full compromise of confidentiality, integrity, and availability.
While the EPSS model estimates only a 0.8% probability of exploitation in the next 30 days, CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active use by threat actors. Security analysts should treat this as a high-priority incident, as the window between PoC publication and mass exploitation is typically short.
Affected Versions
- SP Page Builder for Joomla versions prior to 5.2.6
- Joomla 3.x and 4.x installations are both affected
Impact
Successful exploitation allows an unauthenticated attacker to:
- Upload arbitrary PHP files to the web server
- Execute PHP code with the permissions of the web server user
- Deploy web shells, backdoors, or ransomware
- Escalate to full server compromise if the web server runs with elevated privileges
Remediation
Update SP Page Builder to version 5.2.6 as soon as the vendor releases the patch. If immediate patching is not possible, implement these mitigations:
- Block upload paths in your WAF or reverse proxy — disallow POST requests to
/components/com_sppagebuilder/and/images/sppagebuilder/ - Disable PHP execution in the upload directories by adding the following to your
.htaccessor virtual host configuration:<Directory /path/to/joomla/images/sppagebuilder> php_flag engine off </Directory> - Restrict network access to the Joomla admin panel to trusted IP ranges only
- Monitor access logs for POST requests to the vulnerable component paths
Security Insight
This vulnerability belongs to an increasingly common class: “feature-authorized” components in content management systems that expose file upload functionality without proper authentication gates. SP Page Builder’s upload handler was designed for authenticated editors but the check was omitted in the production build. This mirrors the 2021-2022 wave of critical RCE vulnerabilities in WordPress page builder plugins (Elementor, WP Bakery), where drag-and-drop components introduced server-side upload endpoints that attackers could reach without a valid session. Joomla administrators should review any third-party component that implements file handling and ensure it enforces proper access controls at every endpoint, not just in the UI layer. For ongoing coverage of similar vulnerabilities, see our security news section and review breach reports for related incidents.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| papageo75/CVE-2026-48908-PoC Unauthenticated RCE PoC for CVE-2026-48908 — SP Page Builder for Joomla (≤ 6.6.1): arbitrary file upload via asset.uploadCustomIcon. Self-cleaning, token-guarded. Authorized testing only. | ★ 13 |
| 0xBlackash/CVE-2026-48908 CVE-2026-48908 | ★ 1 |
| Jenderal92/CVE-2026-48908 CVE-2026-48908 — PoC exploit for unauthenticated RCE in SP Page Builder (Joomla) via arbitrary file upload. Multi‑threaded, case‑bypass, shell verification. For authorized security testing only. | ★ 1 |
| gagaltotal/CVE-2026-48908-SP-Page-Builder-Joomla CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE | ★ 0 |
| ayiezola/CVE-2026-48908 Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support. | ★ 0 |
Showing 5 of 6 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE....
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE....
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution....
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload maliciou...