CVE-2026-48908: the anonymous Joomla upload that hands over the whole server
An unauthenticated file upload in SP Page Builder (JoomShaper) that becomes PHP RCE -- CVSS 9.8/10.0, on CISA KEV, and exploited with hidden-admin persistence.

One anonymous HTTP request is the whole exploit. SP Page Builder exposes an upload task, asset.uploadCustomIcon, that shipped with no authentication, no anti-CSRF token, and no server-side file-type check. An attacker POSTs a crafted ZIP, the component extracts it into a web-served directory, and -- as the advisory puts it -- the upload results in the execution of PHP code. No credentials, no user interaction, no chaining. That is why NVD scores it 9.8 and the Joomla CNA scores it a perfect 10.0.
Scores as of 2026-07-11live record →
What the flaw actually is
At its core this is a CWE-434 unrestricted file upload sitting on top of a CWE-284 access-control failure -- and both framings matter, because the endpoint had neither an auth gate nor an extension allow-list. The vulnerable code is the front-end controller task asset.uploadCustomIcon in the com_sppagebuilder component. Joomla ships helpers that require a privileged, logged-in user and validate uploads against a safe-extension list; this path used none of them. The handler accepts an archive presented as an "icon font" package and extracts it under /media/com_sppagebuilder/assets/iconfont/. If the web server will execute PHP from that directory, the attacker just browses to the extracted file and gets code execution -- and public tooling includes a .htaccess AddType trick to force PHP interpretation on hardened servers.
The exploitation chain
From an internet-facing Joomla site with the component installed, the whole path from anonymous request to persistent takeover is short. The diagram below is the kill-chain, with the cheapest place to break it called out at each step -- gate the endpoint, kill the PHP-execution sink, or catch the upload in your logs.
CVE-2026-48908 exploitation chain -- anonymous upload to persistent takeover
- Internet-facing Joomla + SP Page Builder <= 6.6.1 — Any Joomla install carrying the com_sppagebuilder component (free/Lite or Pro), reachable from an untrusted network. **Prevent:** patch to 6.6.2+, or uninstall the component and delete leftover folders -- 'present but disabled' is still vulnerable.
- Anonymous POST to task=asset.uploadCustomIcon — A single unauthenticated multipart POST carrying a crafted ZIP (icon-font package) in the `custom_icon` field. No login, no CSRF token needed. **Detect:** WAF/log signature on the uploadCustomIcon task (and the URL-encoded `asset%2euploadCustomIcon`).
- Auth / CSRF / extension check? — The one gate that should exist -- and did not, in versions <= 6.6.1. None of the three checks fire, so the archive is accepted. **Prevent:** the 6.6.2 fix adds authorization + authentication + anti-CSRF gating here.
- ZIP extracted under /media/.../iconfont/ — Contents are written to /media/com_sppagebuilder/assets/iconfont//fonts/ -- inside the web root. This alone is an unauthenticated arbitrary file write.
- PHP executes from /media? — Server-dependent. If PHP runs from the upload dir (or the dropped .htaccess AddType trick forces it), the write becomes RCE. **Prevent:** disable PHP execution in /media, /images, /tmp -- this kills the RCE even if a write slips through.
- GET the dropped .php -> remote code execution — The attacker fetches the extracted PHP over plain HTTP and runs commands as the web user. Public PoCs verify with a default `id` command and spray .php/.phtml/.phar extensions.
- Persistence: rogue @secure.local admin + backdoors — The observed campaign creates a hidden Joomla Super Administrator (email @secure.local) and drops redundant 'PHP File manager ver 1.4' backdoors across the media dirs. **Detect/Evict:** hunt @secure.local admins and backdoors, then rotate all secrets.
- Full host takeover -- survives patching until hunted — Because persistence is an account plus multiple shells, updating to 6.6.2 does NOT evict the attacker. A patched site with a @secure.local Super User is still fully owned.
- Hardened: unauth arbitrary file write only — If PHP execution in upload dirs is blocked, impact degrades to file write -- still exploitable for defacement or staging, but not instant code execution. Do not treat it as safe.
Am I affected?
The flaw lives in the extension controller, so there is no limiting Joomla core version -- any Joomla 3.6+/4.x/5.x site carrying SP Page Builder is in scope, free/Lite or Pro alike. Read the installed version from the manifest and compare against the fixed build.
| Component | Vulnerable | Fixed baseline | How to check |
|---|---|---|---|
| SP Page Builder (com_sppagebuilder) | 1.0.0 - 6.6.1 | 6.6.2 (see caveat) | grep -oE '<version>[^<]+' administrator/components/com_sppagebuilder/sppagebuilder.xml |
| Joomla core | No limiting version (3.6+/4.x/5.x) | n/a | System -> Manage -> Extensions, filter sppagebuilder |
Timeline
Disclosure -> exploitation -> KEV
- CVE published; zero-day exploitation already reportedNVD publishes CVE-2026-48908; persistence-first exploitation seen around disclosure.source
- Censys advisory quantifies exposure~194,793 web properties load the component across ~3,080 internet-facing hosts.source
- Trojanised 'PoC' targets researchers (ChocoPoC)A fake exploit for this CVE delivered a Python RAT -- aimed at pentesters, not Joomla sites.source
- Added to CISA KEV (due 10 July)Ransomware use listed as Unknown. (SecurityWeek dates the add to 8 July -- a one-day discrepancy.)source
Exploited in the wild -- what we know
Multiple trackers describe a single, consistent automated post-exploitation kit -- the hallmark of an opportunistic mass-exploitation campaign, not targeted intrusions. After the upload lands, persistence is established two ways. First, a hidden Joomla Super Administrator account, with usernames from a hard-coded list (webeditor, contentmgr, sysadmin, webmaster, and similar) plus two digits, and the invariant signature of an email at @secure.local. Second, redundant copies of a "PHP File manager ver 1.4" backdoor dropped across /media/com_admin/, /media/regularlabs/ and the icon-font path. No named threat actor, victim count, or underground sale has been published -- reporting characterises the activity as automated and financially motivated, part of a wider mid-2026 Joomla-extension exploitation wave (the Joomla Content Editor flaw CVE-2026-48907 landed in the same window).
Exploit maturity and the PoC trap
Even though the primary write-up deliberately withheld a working exploit, independent public PoCs matching the uploadCustomIcon mechanics appeared on GitHub within about two days -- trackers count roughly 9-13 repos, some adding multi-threaded mass-scanning. So the exploit is best treated as weaponised, and the low EPSS (~0.0157) is model lag on a fresh CVE, not a signal of difficulty -- let KEV and confirmed in-the-wild activity set your clock. One trap worth flagging: a fake PoC for this exact CVE was used in the ChocoPoC supply-chain campaign to backdoor the researchers who ran it. Never execute an unvetted exploit on a machine with credentials -- use a disposable, isolated VM and read the code first.
Detection and hunting
Hunt on three surfaces, because a patch does not evict this attacker and the public PoC is token-guarded and self-cleaning -- missing shell files do not prove you are clean. Weight the access-log upload POST and the rogue-admin check most heavily.
- Access logs: a POST to
asset.uploadCustomIconreturning 200, followed within seconds by a 200 GET to a.phpunder/media/com_sppagebuilder/assets/iconfont/*/fonts/. - Filesystem: any
.php/.phtml/.pharunder/media,/images,/tmp(there should be none), plus the stringPHP File manager ver 1.4and stray.htaccessAddTypelines. - Identity: Joomla Super Users with
@secure.localemails, or any admin you cannot account for (the most durable indicator).
# 1) Access log: the exploitation request (handles URL-encoded dot + case)
grep -Ei 'com_sppagebuilder.*(task=asset(\.|%2e)uploadCustomIcon|uploadCustomIcon)' \
/var/log/apache2/*access*.log /var/log/nginx/*access*.log
# 2) Follow-on GET to a planted shell
grep -Ei '/media/com_sppagebuilder/assets/iconfont/.*\.(php[0-9]?|pht|phtml|phar)' \
/var/log/nginx/*access*.log
# 3) PHP where there should be none + known backdoor markers
find ./media ./images ./tmp -type f -name '*.php*' -newermt '2026-06-01' -print
grep -rlE 'PHP File manager ver 1\.4|AddType application/x-httpd-php' ./media ./images
# 4) Rogue Super Users (replace <prefix>, default jos_)
# SELECT id,username,email,registerDate FROM <prefix>_users WHERE email LIKE '%@secure.local%';
# 5) Confirm installed version (< 6.6.2 = vulnerable)
grep -oE '<version>[^<]+' administrator/components/com_sppagebuilder/sppagebuilder.xmlWhat to do now
- Contain immediately (works pre-patch): block
task=asset.uploadCustomIcon(andasset%2euploadCustomIcon) at the WAF, and disable PHP execution in/media,/images,/tmp. - Patch to 6.6.2+, then verify the
IconsTrait/uploadIcons()path is auth-gated and watch for a later release -- 6.6.2 was reported incomplete. If unused, uninstall the component and delete leftover folders. - Hunt regardless of patch status for
@secure.localSuper Admins, the PHP File Manager backdoors, and the upload POST in your logs. - If compromised, eradicate: remove the accounts and backdoors, rotate Joomla admin / database / SSH / FTP credentials, and regenerate sessions.
- Zoom out: inventory every high-privilege Joomla extension -- this bug is one of a mid-2026 wave, and the generic hardening (gate risky tasks, block PHP in upload dirs, alert on new admins) neutralises the whole class.
FAQ
Is CVE-2026-48908 being exploited?
Does updating to 6.6.2 fix it?
Which versions are affected?
The component is installed but disabled -- am I safe?
Sources
- NVD -- CVE-2026-48908
- CISA -- Known Exploited Vulnerabilities Catalog
- CISA -- Adds Three Known Exploited Vulnerabilities to Catalog (7 Jul 2026)
- Censys -- CVE-2026-48908 advisory (mechanism + exposure)
- mysites.guru -- SP Page Builder uploadCustomIcon zero-day RCE
- JoomShaper -- patch diff (gist)
- JoomShaper forum -- security issue still present in 6.6.2
- The Hacker News -- CISA adds actively exploited Adobe/Langflow/Joomla flaws
- SecurityWeek -- CISA urges immediate patching of exploited ColdFusion, Langflow, Joomla flaws
- Sekoia -- Don't eat the ChocoPoCs (trojanised exploits targeting researchers)