OFFSITE.DARK
← Signals

Jun 22, 2026

2 min

Sploitus

  • joomla
  • rce
  • cve
  • cms
  • file-upload
  • joomshaper

news

SP Page Builder Joomla Unauthenticated RCE (CVE-2026-48908)

Pre-auth ZIP upload to com_sppagebuilder iconfont path enables .PHP execution via .htaccess bypass; CVSS 10.0 on Sploitus.

Summary

CVE-2026-48908 is a critical unauthenticated remote code execution vulnerability in SP Page Builder (com_sppagebuilder) for Joomla by JoomShaper. Sploitus indexed a full PoC (exploit card) showing that the asset.uploadCustomIcon task accepts ZIP archives without authentication or CSRF tokens, extracts contents into a public web directory, and can achieve code execution via case-sensitive extension filtering bypass plus .htaccess handler override. CVSS 4.0: 10.0.

OFFSITE.DARK did not author the exploit; Sploitus is cited as the weekly index source.

Technical Details

Vulnerable endpoint:

index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon

The handler accepts multipart field custom_icon (ZIP) and extracts to:

/media/com_sppagebuilder/assets/iconfont/<id>/fonts/
AspectDetail
CVECVE-2026-48908
WeaknessCWE-284 → unauthenticated arbitrary file upload → RCE
Affected1.0.0 – 6.6.1
Fixed6.6.2
Auth / CSRFNeither required on affected builds
Sploitus CVSS10.0

Case-sensitive blocklist bypass chain (indexed PoC):

  1. Server rejects lowercase .php but not .PHP or .htaccess.
  2. Default Apache handler may serve .PHP as plain text initially.
  3. Dropped .htaccess with AddType application/x-httpd-php .PHP re-enables execution where AllowOverride permits.

The PoC packages a valid icon-font structure plus fonts/.htaccess and fonts/.PHP shell, guarded by a per-run token and supporting --cleanup.

CVE

FieldValue
CVECVE-2026-48908
ComponentSP Page Builder (com_sppagebuilder)
Patched version6.6.2 (adds auth, authorization, CSRF on upload task)
Sploitus date2026-06-22
RSS index0452174E-CA14-5E07-832F-D7B7BBD5B889

Impact

Pre-auth RCE on internet-facing Joomla sites with SP Page Builder ≤ 6.6.1. Successful exploitation grants www-data-level (or equivalent) shell access, enabling full site and database takeover, malware hosting, and credential harvesting.

Mitigation

  1. Upgrade SP Page Builder to 6.6.2+ — primary fix.
  2. Disable PHP in /media/, /images/, /tmp/ upload trees.
  3. Set AllowOverride None on upload directories so dropped .htaccess cannot register handlers.
  4. Use case-insensitive allow-lists for upload extensions, not blocklists.
  5. Assume-breach review: hunt for .php/.PHP under media/.../iconfont/, rogue Super Users, unexpected file managers.

Sources

→ Source