CVE-2026-48908: JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
CVE-2026-48908CVSS 10.0CISA KEVWeb

CVE-2026-48908: JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

CVSS
10.0 CRITICAL
EPSS
52.27%
Known exploited
yes
Product
SP Page Builder

What is known

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

Sources

Security newsletter

Get new CVE alerts before they become an incident

We send selected infrastructure threats in English, with practical notes for DataHouse environments.

  • DataHouse: server administration and secure cloud
  • Hostilla.pl: hosting and mail services
  • SecDNS.pl: free DNS security layer