EUVD-2026-38110
GHSA-8fwr-8fxr-8v2p
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Unauthenticated remote PHP upload over HTTP yields AV:N/AC:L/PR:N/UI:N; arbitrary code execution as the web user gives full C/I/A impact within the Joomla site's security scope.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and execution.
AnalysisAI
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The SP Page Builder extension (versions 1.0.0-6.6.1) must be installed and enabled on a network-reachable Joomla site, and the component's file-upload endpoint must be accessible over HTTP/HTTPS - the default configuration of the extension. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals converge on a critical, real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An opportunistic attacker scanning the internet for Joomla sites running SP Page Builder sends an unauthenticated HTTP POST to the vulnerable upload endpoint carrying a small PHP webshell. The server writes the file to a web-served directory, and the attacker immediately requests its URL to execute commands as the web-server user, then pivots to read configuration.php for database credentials and drop a persistent backdoor. … |
| Remediation | No vendor-released patched version is identified in the provided data, so administrators should upgrade SP Page Builder to the latest release published by JoomShaper as soon as it is available - monitor https://www.joomshaper.com/page-builder and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48908 for the fixed version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote atta
Share
External POC / Exploit Code
Leaving vuln.today