CVE Tools
Back to blog

CVE-2026-48908: the anonymous Joomla upload that hands over the whole server

An unauthenticated file upload in SP Page Builder (JoomShaper) that becomes PHP RCE -- CVSS 9.8/10.0, on CISA KEV, and exploited with hidden-admin persistence.

CVE-2026-48908: the anonymous Joomla upload that hands over the whole server. An unauthenticated file upload in SP Page Builder (JoomShaper) that becomes PHP RCE -- CVSS 9.8/10.0, on CISA KEV, and exp
CVE-2026-48908: the anonymous Joomla upload that hands over the whole server. An unauthenticated file upload in SP Page Builder (JoomShaper) that becomes PHP RCE -- CVSS 9.8/10.0, on CISA KEV, and exp

One anonymous HTTP request is the whole exploit. SP Page Builder exposes an upload task, asset.uploadCustomIcon, that shipped with no authentication, no anti-CSRF token, and no server-side file-type check. An attacker POSTs a crafted ZIP, the component extracts it into a web-served directory, and -- as the advisory puts it -- the upload results in the execution of PHP code. No credentials, no user interaction, no chaining. That is why NVD scores it 9.8 and the Joomla CNA scores it a perfect 10.0.

Scores as of 2026-07-11live record →

What the flaw actually is

At its core this is a CWE-434 unrestricted file upload sitting on top of a CWE-284 access-control failure -- and both framings matter, because the endpoint had neither an auth gate nor an extension allow-list. The vulnerable code is the front-end controller task asset.uploadCustomIcon in the com_sppagebuilder component. Joomla ships helpers that require a privileged, logged-in user and validate uploads against a safe-extension list; this path used none of them. The handler accepts an archive presented as an "icon font" package and extracts it under /media/com_sppagebuilder/assets/iconfont/. If the web server will execute PHP from that directory, the attacker just browses to the extracted file and gets code execution -- and public tooling includes a .htaccess AddType trick to force PHP interpretation on hardened servers.

The exploitation chain

From an internet-facing Joomla site with the component installed, the whole path from anonymous request to persistent takeover is short. The diagram below is the kill-chain, with the cheapest place to break it called out at each step -- gate the endpoint, kill the PHP-execution sink, or catch the upload in your logs.

CVE-2026-48908 exploitation chain -- anonymous upload to persistent takeover

  1. Internet-facing Joomla + SP Page Builder <= 6.6.1 — Any Joomla install carrying the com_sppagebuilder component (free/Lite or Pro), reachable from an untrusted network. **Prevent:** patch to 6.6.2+, or uninstall the component and delete leftover folders -- 'present but disabled' is still vulnerable.
  2. Anonymous POST to task=asset.uploadCustomIcon — A single unauthenticated multipart POST carrying a crafted ZIP (icon-font package) in the `custom_icon` field. No login, no CSRF token needed. **Detect:** WAF/log signature on the uploadCustomIcon task (and the URL-encoded `asset%2euploadCustomIcon`).
  3. Auth / CSRF / extension check? — The one gate that should exist -- and did not, in versions <= 6.6.1. None of the three checks fire, so the archive is accepted. **Prevent:** the 6.6.2 fix adds authorization + authentication + anti-CSRF gating here.
  4. ZIP extracted under /media/.../iconfont/ — Contents are written to /media/com_sppagebuilder/assets/iconfont//fonts/ -- inside the web root. This alone is an unauthenticated arbitrary file write.
  5. PHP executes from /media? — Server-dependent. If PHP runs from the upload dir (or the dropped .htaccess AddType trick forces it), the write becomes RCE. **Prevent:** disable PHP execution in /media, /images, /tmp -- this kills the RCE even if a write slips through.
  6. GET the dropped .php -> remote code execution — The attacker fetches the extracted PHP over plain HTTP and runs commands as the web user. Public PoCs verify with a default `id` command and spray .php/.phtml/.phar extensions.
  7. Persistence: rogue @secure.local admin + backdoors — The observed campaign creates a hidden Joomla Super Administrator (email @secure.local) and drops redundant 'PHP File manager ver 1.4' backdoors across the media dirs. **Detect/Evict:** hunt @secure.local admins and backdoors, then rotate all secrets.
  8. Full host takeover -- survives patching until hunted — Because persistence is an account plus multiple shells, updating to 6.6.2 does NOT evict the attacker. A patched site with a @secure.local Super User is still fully owned.
  9. Hardened: unauth arbitrary file write only — If PHP execution in upload dirs is blocked, impact degrades to file write -- still exploitable for defacement or staging, but not instant code execution. Do not treat it as safe.

Am I affected?

The flaw lives in the extension controller, so there is no limiting Joomla core version -- any Joomla 3.6+/4.x/5.x site carrying SP Page Builder is in scope, free/Lite or Pro alike. Read the installed version from the manifest and compare against the fixed build.

ComponentVulnerableFixed baselineHow to check
SP Page Builder (com_sppagebuilder)1.0.0 - 6.6.16.6.2 (see caveat)grep -oE '<version>[^<]+' administrator/components/com_sppagebuilder/sppagebuilder.xml
Joomla coreNo limiting version (3.6+/4.x/5.x)n/aSystem -> Manage -> Extensions, filter sppagebuilder

Timeline

Disclosure -&gt; exploitation -&gt; KEV

  1. CVE published; zero-day exploitation already reported
    NVD publishes CVE-2026-48908; persistence-first exploitation seen around disclosure.
    source
  2. Censys advisory quantifies exposure
    ~194,793 web properties load the component across ~3,080 internet-facing hosts.
    source
  3. Trojanised 'PoC' targets researchers (ChocoPoC)
    A fake exploit for this CVE delivered a Python RAT -- aimed at pentesters, not Joomla sites.
    source
  4. Added to CISA KEV (due 10 July)
    Ransomware use listed as Unknown. (SecurityWeek dates the add to 8 July -- a one-day discrepancy.)
    source
  5. Federal remediation deadline (BOD 26-04)
    The KEV due date -- already past as of this write-up.
    source

Exploited in the wild -- what we know

Multiple trackers describe a single, consistent automated post-exploitation kit -- the hallmark of an opportunistic mass-exploitation campaign, not targeted intrusions. After the upload lands, persistence is established two ways. First, a hidden Joomla Super Administrator account, with usernames from a hard-coded list (webeditor, contentmgr, sysadmin, webmaster, and similar) plus two digits, and the invariant signature of an email at @secure.local. Second, redundant copies of a "PHP File manager ver 1.4" backdoor dropped across /media/com_admin/, /media/regularlabs/ and the icon-font path. No named threat actor, victim count, or underground sale has been published -- reporting characterises the activity as automated and financially motivated, part of a wider mid-2026 Joomla-extension exploitation wave (the Joomla Content Editor flaw CVE-2026-48907 landed in the same window).

Exploit maturity and the PoC trap

Even though the primary write-up deliberately withheld a working exploit, independent public PoCs matching the uploadCustomIcon mechanics appeared on GitHub within about two days -- trackers count roughly 9-13 repos, some adding multi-threaded mass-scanning. So the exploit is best treated as weaponised, and the low EPSS (~0.0157) is model lag on a fresh CVE, not a signal of difficulty -- let KEV and confirmed in-the-wild activity set your clock. One trap worth flagging: a fake PoC for this exact CVE was used in the ChocoPoC supply-chain campaign to backdoor the researchers who ran it. Never execute an unvetted exploit on a machine with credentials -- use a disposable, isolated VM and read the code first.

Detection and hunting

Hunt on three surfaces, because a patch does not evict this attacker and the public PoC is token-guarded and self-cleaning -- missing shell files do not prove you are clean. Weight the access-log upload POST and the rogue-admin check most heavily.

  • Access logs: a POST to asset.uploadCustomIcon returning 200, followed within seconds by a 200 GET to a .php under /media/com_sppagebuilder/assets/iconfont/*/fonts/.
  • Filesystem: any .php/.phtml/.phar under /media, /images, /tmp (there should be none), plus the string PHP File manager ver 1.4 and stray .htaccess AddType lines.
  • Identity: Joomla Super Users with @secure.local emails, or any admin you cannot account for (the most durable indicator).
# 1) Access log: the exploitation request (handles URL-encoded dot + case)
grep -Ei 'com_sppagebuilder.*(task=asset(\.|%2e)uploadCustomIcon|uploadCustomIcon)' \
  /var/log/apache2/*access*.log /var/log/nginx/*access*.log

# 2) Follow-on GET to a planted shell
grep -Ei '/media/com_sppagebuilder/assets/iconfont/.*\.(php[0-9]?|pht|phtml|phar)' \
  /var/log/nginx/*access*.log

# 3) PHP where there should be none + known backdoor markers
find ./media ./images ./tmp -type f -name '*.php*' -newermt '2026-06-01' -print
grep -rlE 'PHP File manager ver 1\.4|AddType application/x-httpd-php' ./media ./images

# 4) Rogue Super Users (replace <prefix>, default jos_)
#   SELECT id,username,email,registerDate FROM <prefix>_users WHERE email LIKE '%@secure.local%';

# 5) Confirm installed version (< 6.6.2 = vulnerable)
grep -oE '<version>[^<]+' administrator/components/com_sppagebuilder/sppagebuilder.xml

What to do now

  1. Contain immediately (works pre-patch): block task=asset.uploadCustomIcon (and asset%2euploadCustomIcon) at the WAF, and disable PHP execution in /media, /images, /tmp.
  2. Patch to 6.6.2+, then verify the IconsTrait/uploadIcons() path is auth-gated and watch for a later release -- 6.6.2 was reported incomplete. If unused, uninstall the component and delete leftover folders.
  3. Hunt regardless of patch status for @secure.local Super Admins, the PHP File Manager backdoors, and the upload POST in your logs.
  4. If compromised, eradicate: remove the accounts and backdoors, rotate Joomla admin / database / SSH / FTP credentials, and regenerate sessions.
  5. Zoom out: inventory every high-privilege Joomla extension -- this bug is one of a mid-2026 wave, and the generic hardening (gate risky tasks, block PHP in upload dirs, alert on new admins) neutralises the whole class.

FAQ

Is CVE-2026-48908 being exploited?
Yes -- it is on the CISA KEV catalog (added 7 July 2026, due 10 July) and confirmed exploited in the wild with persistence-first payloads. Free check.
Does updating to 6.6.2 fix it?
It closes the reported entry point, but two caveats: 6.6.2 was reported incomplete for a sibling upload path, and patching does not evict an attacker who already planted a hidden admin or backdoor. Update and hunt.
Which versions are affected?
SP Page Builder 1.0.0 through 6.6.1, both free/Lite and Pro. There is no limiting Joomla core version -- any Joomla site carrying the component is affected.
The component is installed but disabled -- am I safe?
No. Reporting confirms the flaw fires even when the component is disabled or has no published pages. Uninstall it or patch it; disabling is not a mitigation.

Sources