Unauth File Upload SP Page Builder 1.0.0-6.6.1 (JoomShaper) Joomla
CVE-2026-48908 Published on June 20, 2026

Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

NVD

Known Exploited Vulnerability

This JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. JoomShaper SP Page Builder contains an unrestricted upload of file with dangerous type vulnerability that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

The following remediation steps are recommended / required by July 10, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2026-48908 has been classified to as an Unrestricted File Upload vulnerability or weakness.


Affected Versions

joomshaper.net SP Page Builder extension for Joomla Version 1.0.0-6.6.1 is affected by CVE-2026-48908