Share
## https://sploitus.com/exploit?id=2163AC16-50F0-521D-A68D-3A43CB77CA53
# CVE-2026-48908 โ€” SP Page Builder (Joomla) Unauthenticated RCE

Proof-of-concept exploit for **CVE-2026-48908**, a critical (**CVSS 4.0 = 10.0**) unauthenticated
remote-code-execution vulnerability in the **SP Page Builder** component (`com_sppagebuilder`) for
Joomla, by JoomShaper.

| | |
|---|---|
| **CVE** | CVE-2026-48908 |
| **Weakness** | CWE-284 Improper Access Control โ†’ Unauthenticated Arbitrary File Upload โ†’ RCE |
| **Component** | SP Page Builder (`com_sppagebuilder`) for Joomla |
| **Affected** | **1.0.0 โ€“ 6.6.1** |
| **Fixed in** | **6.6.2** |
| **Privileges required** | None (pre-authentication) |
| **User interaction** | None |

## Description

SP Page Builder exposes the controller task **`asset.uploadCustomIcon`** to handle uploading a
custom icon-font package:

```
index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
```

In affected versions this task is reachable **without authentication and without a valid anti-CSRF
token**. It accepts a ZIP archive (multipart field `custom_icon`) and **extracts its contents into a
publicly web-served directory** under the document root:

```
/media/com_sppagebuilder/assets/iconfont//   (including the fonts/ subfolder)
```

Because the upload is reachable pre-auth and the extracted files land in the web root, an attacker
can write attacker-controlled files to a browsable location and reach them over HTTP.

### Achieving code execution despite the extension filter

Some builds add a server-side filename filter on the archive entries. This PoC defeats a common
implementation of it with a three-step chain:

1. **Case-sensitive blocklist.** The filter rejects lowercase `.php`, `.phtml`, `.phar`,
   `.php3`โ€“`.php8`, `.pht`, `.inc`, โ€ฆ but it does **not** normalise case, so **`.PHP`** (and other
   mixed-case variants) and **`.htaccess`** pass through.
2. **Case-sensitive web-server handler.** A default Apache PHP handler (``)
   only executes lowercase `.php`, so an uploaded `.PHP` is initially served as source text, not run.
3. **`.htaccess` override.** A `.htaccess` (which the blocklist also misses) containing
   `AddType application/x-httpd-php .PHP` is dropped alongside the payload. Where `AllowOverride`
   permits it, this registers `.PHP` as PHP and the uploaded shell **executes**.

The PoC always packages a valid icon-font structure (`selection.json`, `style.css`,
`fonts/.ttf`) so the upload is accepted, then adds the shell.

**Adaptive โ€” it walks a list of php-executable extensions (least footprint first), then a
`.htaccess` fallback, and stops at the first that actually runs code:**

1. **Direct single-file uploads** โ€” `fonts/.` for each of
   `php, php3, php4, php5, php7, pht, phtml, phar, PHP, pHp, Php`. **No `.htaccess`.**
   Different SP Page Builder filters block different sets, and different Apache configs execute
   different extensions โ€” so this finds whatever combination the target allows *and* runs.
2. **`fonts/.htaccess` + `fonts/.PHP` (fallback)** โ€” only if every direct attempt fails.
   The dropped `.htaccess` (`AddType โ€ฆ .PHP`) forces an uppercase `.PHP` to execute where
   `AllowOverride` permits it (this is what 5.4.6-style hosts need).

It **stops at the first method that executes** and prints which one landed. Every accepted upload is
tracked, so `--cleanup` removes **all** of them (multiple tries can leave write-only dirs).

> Depending on version and server hardening the result varies, and the PoC states it explicitly
> (see **Outcomes** below): full RCE, file-write-only (PHP disabled / `AllowOverride None`),
> patched (admin-only), or not vulnerable.

## Requirements

```bash
pip install -r requirements.txt   # requests
```

## Usage

```bash
# confirm the vulnerability and prove code execution (runs `id`)
python3 sppb_rce.py https://target.example

# run a specific command
python3 sppb_rce.py --url target.example -c "uname -a"

# interactive pseudo-shell
python3 sppb_rce.py https://target.example --shell

# only check; run no command
python3 sppb_rce.py https://target.example --check

# remove the uploaded payload directory afterwards
python3 sppb_rce.py https://target.example --cleanup
```

The target may be given as a positional argument or via `--url`, with or without a scheme.

### Example (sanitised)

```
[*] target   : https://target.example
[*] endpoint : index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
[*] try .php            -> rejected by filter
[*] try .php3           -> rejected by filter
...
[*] try .PHP            -> uploaded, not executed
[*] try .htaccess+.PHP  -> EXECUTED
[+] CODE EXECUTION CONFIRMED via '.htaccess+.PHP' (echo 7*6 -> 42)
[*] running: id
------------------------------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
------------------------------------------------------------
[*] cleanup: done (4 dirs)
```

### Outcomes (and exit codes)

The PoC always tells you the verdict for the target:

| Output | Meaning | Exit |
|---|---|---|
| `CODE EXECUTION CONFIRMED via ''` | **Vulnerable โ€” full unauth RCE** | 0 |
| `[~] PARTIALLY VULNERABLE โ€” unauth file-write works, but PHP did NOT execute` | File-write only (`AllowOverride None` / PHP disabled in `/media`) | 3 |
| `[-] TARGET NOT VULNERABLE โ€” SP Page Builder is patched (6.6.2+)` | Patched โ€” upload now requires admin auth | 1 |
| `[-] TARGET NOT VULNERABLE โ€” every upload was rejected, or SP Page Builder is absent/patched` | Not exploitable / component not present | 2 |

### Safety features

- The dropped web shell is **guarded by a random per-run token** and returns `404` to anyone without
  it โ€” it is not a world-open backdoor.
- `--cleanup` deletes the payload directory it created.
- Default actions are benign (`id`, an arithmetic marker).

## Remediation

1. **Upgrade SP Page Builder to 6.6.2 or later** (adds authentication, authorization and CSRF checks
   to the upload task). This is the primary fix.
2. Defense-in-depth on the web server:
   - Disable PHP execution in upload directories (`/media/`, `/images/`, `/tmp`) via the FPM pool or
     `php_admin_flag engine off`.
   - Set `AllowOverride None` on those directories so a dropped `.htaccess` cannot re-enable handlers.
   - Use a case-insensitive **allow-list** for upload extensions, never a blocklist.
3. Assume-breach review: look for unexpected `.php`/`.PHP` under `media/.../iconfont/`, new Super User
   accounts, and planted file managers.

## References

- NVD โ€” [CVE-2026-48908](https://nvd.nist.gov/vuln/detail/CVE-2026-48908)
- CVE.org record โ€” [CVE-2026-48908](https://vulners.com/cve/CVE-2026-48908)
- Technical write-up โ€” [SP Page Builder uploadCustomIcon RCE (mySites.guru)](https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/)
- Vendor โ€” [JoomShaper SP Page Builder](https://www.joomshaper.com/page-builder) (security fix in 6.6.2)
- [SP Page Builder โ€” Joomla Extensions Directory](https://extensions.joomla.org/extension/sp-page-builder/)

## Keywords

Joomla SP Page Builder exploit ยท com_sppagebuilder unauthenticated RCE ยท CVE-2026-48908 PoC ยท
asset.uploadCustomIcon arbitrary file upload ยท Joomla remote code execution ยท pentest exploit script.

## DISCLAIMER

This software is published for **educational purposes and authorized security testing only** โ€”
e.g. penetration tests you have **written permission** to perform, bug-bounty programs that include
the target in scope, CTF competitions, and your own lab systems.

Accessing, modifying, or disrupting computer systems without authorization is **illegal** in most
jurisdictions. **You are solely and entirely responsible for your own actions.** By using,
downloading, or distributing this code you agree that:

- you will use it only against systems you **own** or have **explicit, documented permission** to test;
- the author(s) and contributors accept **no liability** for any damage, data loss, service
  disruption, or legal consequences arising from use or misuse of this code;
- this material is provided **"AS IS", without warranty of any kind**, express or implied.

If you do not agree with these terms, do not use this software. As with any publicly available
exploit/PoC, it is shared in good faith to help defenders detect, understand and remediate the
vulnerability; what you do with it is on you.

## License

MIT โ€” see [LICENSE](LICENSE).