CVE-2026-48908

Published Jun 20, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48908 is a vulnerability identified in JoomShaper's SP Page Builder for Joomla. This flaw allows unauthenticated users to upload arbitrary files, which can ultimately lead to the execution of PHP code on the affected system. This vulnerability is categorized as an unrestricted upload of a file with a dangerous type, and it has been added to CISA's Known Exploited Vulnerabilities Catalog, indicating that it is being actively exploited.

Description
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Source
security@joomla.org
NVD status
Modified
Products
sp_page_builder

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@joomla.org
CWE-434
nvd@nist.gov
CWE-434

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. 米国CISA¹の既知の悪用された脆弱性カタログに3件と1件の追加。JoomShaper SP Page BuilderのCVE-2026-48908、LangflowのCVE-2026-55255、Joomlack Page BuilderのCVE-2026-56290とColdfusionのCVE-2026-48282。対処期限は3日。ランサム悪用不知。

    @__kokumoto

    7 Jul 2026

    223 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Bernoulli denklemi vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/7S6bozvJuc & apply mitigations to protect your org from c

    @FarukCakicil65

    7 Jul 2026

    8 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Langflow vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattack

    @CISACyber

    7 Jul 2026

    4119 Impressions

    2 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 CRITICAL: CVE-2026-48908 (CVSS 9.8) - SP Page Builder for Joomla allows unauthenticated arbitrary file upload & PHP code execution. Patch immediately! #CVE #Vulnerability #PatchNow #ThreatIntel #DFIR https://t.co/lBHocpJeOQ

    @DFIR_Lab

    5 Jul 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Top CVEs w/ public exploits (Jun 20–27): CVE-2026-48908 Joomla SPB RCE (exploited live) CVE-2026-48909 Joomla SP LMS PHP Obj injection CVE-2026-12417 SignUp/In admin takeover CVE-2026-12416 Invoice Generator takeover CVE-2026-39938 Cacti LFI Protect via https://t.co/ZUTqqMjQUp

    @exploitgrid

    27 Jun 2026

    1601 Impressions

    4 Retweets

    19 Likes

    7 Bookmarks

    2 Replies

    0 Quotes

  6. CVE-2026-48908 Arbitrary File Upload and PHP Code Execution in SP Page Builder for Joomla https://t.co/vnmLtU2qPR

    @VulmonFeeds

    20 Jun 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations