Critical (10.0) Actively Exploited

SP Page Builder unauth file upload (CVE-2026-48908) [PoC]

CVE-2026-48908

CVE-2026-48908: SP Page Builder for Joomla unauthenticated arbitrary file upload leads to PHP code execution (CVSS 10.0). Update to patched version or block /components/com_sppagebuilder/ uploads.

Affected: Ollyo Sp Page Builder

Actively exploited in the wild - CVE-2026-48908 is a critical unauthenticated arbitrary file upload in SP Page Builder for Joomla that lets attackers upload and execute PHP code on the server. No vendor patch is currently available; apply the mitigations below immediately.

Overview

CVE-2026-48908 affects the SP Page Builder component for Joomla (all versions prior to 5.2.6). The vulnerability resides in the file upload handler, which fails to validate user authentication and file type before storing uploaded content on the server. An attacker with network access to the Joomla instance can upload a malicious PHP file through the component’s media upload functionality, then access that file directly via the web root to achieve remote code execution.

The CVSS vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) yields a base score of 10.0 - the maximum possible severity. This reflects the complete lack of authentication requirements, low attack complexity, and full compromise of confidentiality, integrity, and availability.

While the EPSS model estimates only a 0.8% probability of exploitation in the next 30 days, CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active use by threat actors. Security analysts should treat this as a high-priority incident, as the window between PoC publication and mass exploitation is typically short.

Affected Versions

  • SP Page Builder for Joomla versions prior to 5.2.6
  • Joomla 3.x and 4.x installations are both affected

Impact

Successful exploitation allows an unauthenticated attacker to:

  • Upload arbitrary PHP files to the web server
  • Execute PHP code with the permissions of the web server user
  • Deploy web shells, backdoors, or ransomware
  • Escalate to full server compromise if the web server runs with elevated privileges

Remediation

Update SP Page Builder to version 5.2.6 as soon as the vendor releases the patch. If immediate patching is not possible, implement these mitigations:

  1. Block upload paths in your WAF or reverse proxy — disallow POST requests to /components/com_sppagebuilder/ and /images/sppagebuilder/
  2. Disable PHP execution in the upload directories by adding the following to your .htaccess or virtual host configuration:
    <Directory /path/to/joomla/images/sppagebuilder>
        php_flag engine off
    </Directory>
  3. Restrict network access to the Joomla admin panel to trusted IP ranges only
  4. Monitor access logs for POST requests to the vulnerable component paths

Security Insight

This vulnerability belongs to an increasingly common class: “feature-authorized” components in content management systems that expose file upload functionality without proper authentication gates. SP Page Builder’s upload handler was designed for authenticated editors but the check was omitted in the production build. This mirrors the 2021-2022 wave of critical RCE vulnerabilities in WordPress page builder plugins (Elementor, WP Bakery), where drag-and-drop components introduced server-side upload endpoints that attackers could reach without a valid session. Joomla administrators should review any third-party component that implements file handling and ensure it enforces proper access controls at every endpoint, not just in the UI layer. For ongoing coverage of similar vulnerabilities, see our security news section and review breach reports for related incidents.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
papageo75/CVE-2026-48908-PoC

Unauthenticated RCE PoC for CVE-2026-48908 — SP Page Builder for Joomla (≤ 6.6.1): arbitrary file upload via asset.uploadCustomIcon. Self-cleaning, token-guarded. Authorized testing only.

★ 13
0xBlackash/CVE-2026-48908

CVE-2026-48908

★ 1
Jenderal92/CVE-2026-48908

CVE-2026-48908 — PoC exploit for unauthenticated RCE in SP Page Builder (Joomla) via arbitrary file upload. Multi‑threaded, case‑bypass, shell verification. For authorized security testing only.

★ 1
gagaltotal/CVE-2026-48908-SP-Page-Builder-Joomla

CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE

★ 0
ayiezola/CVE-2026-48908

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

★ 0

Showing 5 of 6 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.