Description
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Published: 2026-06-20
Score: 10 Critical
EPSS: 1.6% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, which the application then executes as PHP. The description explicitly states that arbitrary files can be uploaded and run as PHP. It is inferred that the upload mechanism accepts files without validating type or enforcing access controls, because no such restrictions are mentioned. As a result, an attacker can deliver malicious PHP that is executed by the Joomla site, giving them complete control over the web application environment.

Affected Systems

SP Page Builder extension for Joomla from joomshaper.net is vulnerable in all versions less than 6.6.2. Any Joomla site using the extension without upgrading to 6.6.2 or later is at risk.

Risk and Exploitability

The CVSS score of 10 indicates an extremely severe flaw. The EPSS score of 1% indicates a very low but nonzero probability of exploitation. Because the flaw allows unauthenticated uploads with no file type checks, the attack path appears straightforward: an attacker can send a crafted request to the extension’s upload endpoint, place a PHP file in the upload directory, and have it executed. This is inferred from the description and the lack of stated authentication. The vulnerability is listed in CISA KEV.

Generated by OpenCVE AI on July 10, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SP Page Builder 6.6.2 or later to address the upload validation flaw.
  • Restrict upload functionality access so that only authenticated administrators can use it.
  • Configure the web server to deny execution of files uploaded via the extension, for example by adding .htaccess rules or server directives that block PHP execution in the upload directories.

Generated by OpenCVE AI on July 10, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-07-07T00:00:00+00:00', 'dueDate': '2026-07-10T00:00:00+00:00'}


Sun, 05 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284 CWE-434

Wed, 24 Jun 2026 19:30:00 +0000


Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution. A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Title Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12 Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomshaper.net
Joomshaper.net sp Page Builder Extension For Joomla
Vendors & Products Joomshaper.net
Joomshaper.net sp Page Builder Extension For Joomla

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
Title Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red'}


Subscriptions

Joomshaper.net Sp Page Builder Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-07-08T09:55:16.808Z

Reserved: 2026-05-26T10:06:17.657Z

Link: CVE-2026-48908

cve-icon Vulnrichment

Updated: 2026-06-22T17:30:43.084Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T04:30:17Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type