GHSA-8fwr-8fxr-8v2p · Severity: critical — A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for...
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Conclusion & alert: CVE-2026-48908 is rated Critical Active Threat (90.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.57%). Core evidence: CISA KEV confirms active exploitation (added 2026-07-07) affecting JoomShaper / SP Page Builder. a weakness (CWE-434) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability · CISA KEV detail
: 2026-07-07
: 2026-07-10
: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-09 | 1.43% | 1.57% | +0.14% |
| 2 | 2026-07-08 | 0.80% | 1.43% | +0.63% |
| 3 | 2026-07-06 | — | 0.80% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 4.0 | CRITICAL |
|
— | — | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
GHSA-8fwr-8fxr-8v2p · Severity: critical — A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| ollyo | sp_page_builder | < 6.6.2 | cpe:2.3:a:ollyo:sp_page_builder:*:*:*:*:-:joomla\!:*:* |
| URL | Tags |
|---|---|
| https://www.joomshaper.com/page-builder | Product |
| https://extensions.joomla.org/extension/sp-page-builder/ | Product |
| https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48908 | US Government Resource |
| https://www.joomshaper.com/forum/question/45152 | Issue Tracking |