How is CVE-2026-48908 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Joomla instance via HTTP/HTTPS to exploit it. Authentication (not-required): No account or session token of any privilege level is needed; the file upload endpoint accepts requests from unauthenticated users. Victim interaction (not-required): The attacker triggers exploitation entirely server-side; no user action such as clicking a link or opening a file is involved. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or environmental prerequisites.

What is the impact of CVE-2026-48908?

The attacker executes arbitrary PHP code under the web server process identity, giving them command execution on the underlying host. Confidential data stored by the Joomla application, including database credentials, session tokens, and user records, is readable by the attacker. The attacker can write, modify, or delete files accessible to the web server process, including application code, configuration files, and uploaded media. The compromise extends beyond the container boundary: CVSS v4.0 tokens indicate high impact on subsequent systems (SC:H/SI:H/SA:H), meaning lateral movement or disruption of downstream infrastructure is achievable from the initial foothold.

Back to search

CRITICALCVE-2026-48908Published 2026-06-20Modified 2026-06-20CNA Joomla

CVE-2026-48908: Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12

Q: What is CVE-2026-48908?

An unauthenticated arbitrary file upload vulnerability in the SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows any remote attacker to upload PHP files to the server without logging in. The flaw is reachable directly over the network and requires no prior access or user interaction. Successful exploitation gives the attacker full remote code execution on the hosting server. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-48908 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file upload vulnerability in the SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows any remote attacker to upload PHP files to the server without logging in. The flaw is reachable directly over the network and requires no prior access or user interaction. Successful exploitation gives the attacker full remote code execution on the hosting server. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Joomla images in connected registries and CI/CD pipelines. Any image found to contain SP Page Builder versions 1.0.0 through 6.6.1 is flagged immediately.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 10.0 (Critical) and applies per-environment compliance policy weighting to prioritize alert routing. Findings are dispatched to the appropriate team inbox inside each customer organization based on ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Joomla instance via HTTP/HTTPS to exploit it.
AuthenticationNot required
No account or session token of any privilege level is needed; the file upload endpoint accepts requests from unauthenticated users.
Victim interactionNot required
The attacker triggers exploitation entirely server-side; no user action such as clicking a link or opening a file is involved.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or environmental prerequisites.

Blast Radius

The attacker executes arbitrary PHP code under the web server process identity, giving them command execution on the underlying host.
Confidential data stored by the Joomla application, including database credentials, session tokens, and user records, is readable by the attacker.
The attacker can write, modify, or delete files accessible to the web server process, including application code, configuration files, and uploaded media.
The compromise extends beyond the container boundary: CVSS v4.0 tokens indicate high impact on subsequent systems (SC:H/SI:H/SA:H), meaning lateral movement or disruption of downstream infrastructure is achievable from the initial foothold.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-48908, this CVE is flagged as a zero-day with continuous advisory monitoring active. HarborGuard re-checks the joomshaper.net and Joomla security feeds on every ingest cycle; as soon as a fix version is published, a patched-image rebuild becomes available and, for customers with auto-remediation enabled, the rebuild plus regression test run plus PR against affected workloads are triggered automatically. While no patch is available, recommended compensating controls include placing network policy rules in front of Joomla deployments to restrict inbound access to trusted sources only, applying egress filtering to limit outbound connections from the container, and disabling or removing the SP Page Builder extension from images where the feature is not actively required. Images carrying affected SP Page Builder versions should be treated as critical-priority findings given the 10.0 CVSS score and confirmed active exploitation (E:A in the vector).

See how HarborGuard automates this

Affected packages

joomshaper.net / SP Page Builder extension for Joomla
1.0.0-6.6.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

References

joomshaper.com

Metrics

Get notified