All incidents

JoomShaper SP Page Builder Unrestricted File Upload Vulnerability (CVE-2026-48908)

vulnerabilityopenJul 7, 2026 — Jul 7, 2026

CISA has added CVE-2026-48908 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation of a critical file upload flaw in JoomShaper SP Page Builder. The flaw permits unauthenticated users to upload arbitrary files that can be executed as PHP code on the underlying server.

The vulnerability is catalogued as CVE-2026-48908 and concerns the SP Page Builder extension for Joomla, a popular drag‑and‑drop page construction tool. It stems from insufficient validation of uploaded file types, allowing an attacker to place a malicious PHP script on the server and trigger remote code execution.

At present, JoomShaper has not published a security advisory or a patch for the issue, leaving affected installations without an official fix. The CISA KEV entry notes that the vulnerability is being actively exploited in the wild, which prompted its inclusion in the catalogue.

Organisations running Joomla sites that utilise SP Page Builder should consider the flaw a high priority threat, especially if the extension is exposed to the public internet. Even without a patch, the likelihood of compromise is elevated given the observed attacks.

Defenders should start by reviewing their servers for any instances of the extension and disabling file upload functionality where it is not required. Implementing a web application firewall rule that blocks requests with suspicious file extensions such as .php, .phar or .htaccess can also help mitigate the risk.

Where feasible, temporarily removing SP Page Builder or switching to an alternative page builder reduces the attack surface until a vendor patch becomes available. Administrators should consult the CISA KEV guidance for additional details and follow any future advisories from JoomShaper here.

Intelligence briefing updated Jul 7, 2026

CVE-2026-48908 10.0 KEV
Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline