CISA KEV Alert 7/7/2026, 6:06:54 PM

CISA Adds Critical Joomla SP Page Builder Flaw to KEV Catalogue

CyberSIXT Evidence Panel Source marked as original reporting
Primary Source cisa.gov
CISA KEV Listed in KEV
Patch Patch Status Unknown

CISA has added CVE‑2026‑48908 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects JoomShaper’s SP Page Builder extension for Joomla and is named “JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability”. It allows unauthenticated attackers to upload arbitrary files, leading to the execution of PHP code on the server.

The vulnerability is an unrestricted file upload issue that enables threat actors to place malicious PHP scripts on a vulnerable web server and execute them remotely. The CVSS score is 0.0, indicating that the NVD has not yet assigned a severity rating. No patch or advisory from the vendor is currently available.

Inclusion in the KEV catalogue confirms that active exploitation of CVE‑2026‑48908 has been observed in the wild. No known ransomware campaigns have been linked to this vulnerability at this time. CISA has set a remediation deadline of 10 July 2026 for federal agencies to address the issue.

CISA’s required action is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations should review their exposure and implement any available mitigations.

For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48908 and the CISA KEV catalogue.

View CISA KEV Entry

Article by CyberSIXT