Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-48908

JoomShaper SP Page Builder unauthenticated file-upload RCE

An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.

cat cve-2026-48908.json
Vendor
JoomShaper
Product
SP Page Builder (Joomla extension)
CVSS
9.8
EPSS (exploit probability)
0.8%
Status
kev
Published

CVE-2026-48908 is an unrestricted-upload-of-file-with-dangerous-type flaw in JoomShaper SP Page Builder, a Joomla extension available via extensions.joomla.org. Per NVD’s record, the flaw “allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code” on the target Joomla install.

Advisory context

CISA added CVE-2026-48908 to the Known Exploited Vulnerabilities catalog on 2026-07-07 alongside CVE-2026-56290 — the same class of flaw in a separate Joomla page-builder extension from a separate vendor (Joomlack) — and CVE-2026-55255, a Langflow IDOR. Federal due date on all three: 2026-07-10.

The paired same-day KEV addition of two independent Joomla page-builder RCEs is a scoping signal: whatever campaign drove the KEV entries is unlikely to be limited to a single extension.

What to do

If a public-facing Joomla site runs JoomShaper SP Page Builder, patch to the vendor-supplied fix or take the site offline until it is patched. Verify installed extensions via the #__extensions database table, and audit writable directories for unexpected .php or .phtml files. See the article writeup for full priority order across the three July 7 KEV adds.

NVD’s canonical record: CVE-2026-48908.