Description
A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
Published: 2026-06-20
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SP Page Builder extension for Joomla contains a flaw that lets an unauthenticated attacker upload arbitrary files, ultimately allowing execution of PHP code on the server. The upload process does not validate the file type or enforce proper access controls, enabling a malicious actor to deliver a PHP file that the application subsequently executes. This vulnerability results in full remote code execution, giving attackers control over the Joomla instance and the ability to modify content, deploy additional malware, or compromise other systems on the same server.

Affected Systems

SP Page Builder extension for Joomla from joomshaper.net is vulnerable in all versions prior to 6.6.12. Any Joomla installation that has not upgraded to 6.6.12 or later is at risk.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. EPSS data is not available, so the exact probability of exploitation cannot be quantified, but the absence of authentication checks and the ease of uploading arbitrary files suggest a high likelihood of abuse. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending a crafted file upload request to the SP Page Builder upload endpoint; because the system allows unauthenticated uploads, the attacker can place a PHP file that the site later executes, providing a simple and low‑complexity attack path with high impact.

Generated by OpenCVE AI on June 20, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SP Page Builder extension to version 6.6.12 or later.
  • If upgrading is not immediately possible, restrict access to the upload functionality so that only authenticated administrators can use it.
  • Configure the web server to deny execution of files uploaded through the extension, for example by adding .htaccess rules or server directives that block PHP execution in the upload directories.
  • Optionally deploy a web application firewall rule or intrusion detection system to detect and block suspicious file upload attempts, especially those with PHP extensions.

Generated by OpenCVE AI on June 20, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.joomshaper.com/page-builder cve-icon
History

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
Title Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-20T11:57:00.501Z

Reserved: 2026-05-26T10:06:17.657Z

Link: CVE-2026-48908

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T13:30:06Z

Weaknesses