## https://sploitus.com/exploit?id=A9AC151B-4017-55EC-996C-AB5AF8111575
# CVE-2026-48908 โ SP Page Builder (Joomla) Unauthenticated RCE
Proof-of-concept exploit for **CVE-2026-48908**, a critical (**CVSS 4.0 = 10.0**) unauthenticated
remote-code-execution vulnerability in the **SP Page Builder** component (`com_sppagebuilder`) for
Joomla, by JoomShaper.
| | |
|---|---|
| **CVE** | CVE-2026-48908 |
| **Weakness** | CWE-284 Improper Access Control โ Unauthenticated Arbitrary File Upload โ RCE |
| **Component** | SP Page Builder (`com_sppagebuilder`) for Joomla |
| **Affected** | **1.0.0 โ 6.6.1** |
| **Fixed in** | **6.6.2** |
| **Privileges required** | None (pre-authentication) |
| **User interaction** | None |
## Description
SP Page Builder exposes the controller task **`asset.uploadCustomIcon`** to handle uploading a
custom icon-font package:
```
index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
```
In affected versions this task is reachable **without authentication and without a valid anti-CSRF
token**. It accepts a ZIP archive (multipart field `custom_icon`) and **extracts its contents into a
publicly web-served directory** under the document root:
```
/media/com_sppagebuilder/assets/iconfont// (including the fonts/ subfolder)
```
Because the upload is reachable pre-auth and the extracted files land in the web root, an attacker
can write attacker-controlled files to a browsable location and reach them over HTTP.
### Achieving code execution despite the extension filter
Some builds add a server-side filename filter on the archive entries. This PoC defeats a common
implementation of it with a three-step chain:
1. **Case-sensitive blocklist.** The filter rejects lowercase `.php`, `.phtml`, `.phar`,
`.php3`โ`.php8`, `.pht`, `.inc`, โฆ but it does **not** normalise case, so **`.PHP`** (and other
mixed-case variants) and **`.htaccess`** pass through.
2. **Case-sensitive web-server handler.** A default Apache PHP handler (``)
only executes lowercase `.php`, so an uploaded `.PHP` is initially served as source text, not run.
3. **`.htaccess` override.** A `.htaccess` (which the blocklist also misses) containing
`AddType application/x-httpd-php .PHP` is dropped alongside the payload. Where `AllowOverride`
permits it, this registers `.PHP` as PHP and the uploaded shell **executes**.
The PoC packages a valid icon-font structure (`selection.json`, `style.css`, `fonts/.ttf`) so
the upload is accepted, plus `fonts/.htaccess` and a `fonts/.PHP` web shell.
> Note: depending on the exact version and server hardening, the simple file-type bypass may be
> unnecessary (no filter) or insufficient (`AllowOverride None` / PHP execution disabled in upload
> dirs). The PoC reports clearly when the file is written but does not execute.
## Requirements
```bash
pip install -r requirements.txt # requests
```
## Usage
```bash
# confirm the vulnerability and prove code execution (runs `id`)
python3 sppb_rce.py https://target.example
# run a specific command
python3 sppb_rce.py --url target.example -c "uname -a"
# interactive pseudo-shell
python3 sppb_rce.py https://target.example --shell
# only check; run no command
python3 sppb_rce.py https://target.example --check
# remove the uploaded payload directory afterwards
python3 sppb_rce.py https://target.example --cleanup
```
The target may be given as a positional argument or via `--url`, with or without a scheme.
### Example (sanitised)
```
[*] target : https://target.example
[*] uploading payload ZIP (unauthenticated)...
[+] uploaded & extracted to webroot: /media/com_sppagebuilder/assets/iconfont/icoabcdef/
[+] CODE EXECUTION CONFIRMED (echo 7*6 -> 42)
[*] running: id
------------------------------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
------------------------------------------------------------
```
### Safety features
- The dropped web shell is **guarded by a random per-run token** and returns `404` to anyone without
it โ it is not a world-open backdoor.
- `--cleanup` deletes the payload directory it created.
- Default actions are benign (`id`, an arithmetic marker).
## Remediation
1. **Upgrade SP Page Builder to 6.6.2 or later** (adds authentication, authorization and CSRF checks
to the upload task). This is the primary fix.
2. Defense-in-depth on the web server:
- Disable PHP execution in upload directories (`/media/`, `/images/`, `/tmp`) via the FPM pool or
`php_admin_flag engine off`.
- Set `AllowOverride None` on those directories so a dropped `.htaccess` cannot re-enable handlers.
- Use a case-insensitive **allow-list** for upload extensions, never a blocklist.
3. Assume-breach review: look for unexpected `.php`/`.PHP` under `media/.../iconfont/`, new Super User
accounts, and planted file managers.
## References
- NVD โ CVE-2026-48908
- JoomShaper SP Page Builder changelog (6.6.2 security fix)
- SP Page Builder Extension Directory listing
## DISCLAIMER
This software is published for **educational purposes and authorized security testing only** โ
e.g. penetration tests you have **written permission** to perform, bug-bounty programs that include
the target in scope, CTF competitions, and your own lab systems.
Accessing, modifying, or disrupting computer systems without authorization is **illegal** in most
jurisdictions. **You are solely and entirely responsible for your own actions.** By using,
downloading, or distributing this code you agree that:
- you will use it only against systems you **own** or have **explicit, documented permission** to test;
- the author(s) and contributors accept **no liability** for any damage, data loss, service
disruption, or legal consequences arising from use or misuse of this code;
- this material is provided **"AS IS", without warranty of any kind**, express or implied.
If you do not agree with these terms, do not use this software. As with any publicly available
exploit/PoC, it is shared in good faith to help defenders detect, understand and remediate the
vulnerability; what you do with it is on you.
## License
MIT โ see [LICENSE](LICENSE).