CVE-2026-48908CRITICALCVSS 9.8

CVE-2026-48908

Published Jun 20, 2026·Updated Jun 30, 2026

Description

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

Public Exploits & PoCs5 found

[POC] GHSA-3mgp-fx93-9xv5 — CVE-2026-48908

CVE-2026-48908

1

[POC] GHSA-3mgp-fx93-9xv5 — CVE-2026-48908-PoC

Unauthenticated RCE PoC for CVE-2026-48908 — SP Page Builder for Joomla (≤ 6.6.1): arbitrary file upload via asset.uploadCustomIcon. Self-cleaning, token-guarded. Authorized testing only.

1

[POC] GHSA-3mgp-fx93-9xv5 — CVE-2026-48908

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

[POC] GHSA-3mgp-fx93-9xv5 — CVE-2026-48908-SP-Page-Builder-Joomla

CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE

[POC] MAL-2026-2307 — CVE-2026-48908

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free