## https://sploitus.com/exploit?id=E2A4520E-343C-5B17-9530-563810F86EA4
# CVE-2026-48908 ā SP Page Builder (Joomla) Unauthenticated RCE Exploit
> **Critical** (CVSS v4: 10.0) ā Proof-of-concept exploit for unauthenticated remote code execution in SP Page Builder (`com_sppagebuilder`) for Joomla.
---
## š Vulnerability Overview
| Attribute | Value |
|--------------------|-----------------------------------------------------------------|
| **CVE ID** | CVE-2026-48908 |
| **Severity** | Critical |
| **CVSS v4 Score** | 10.0 |
| **Weakness** | CWE-284 (Improper Access Control) ā Unauthenticated File Upload |
| **Component** | SP Page Builder (`com_sppagebuilder`) for Joomla |
| **Affected Versions** | 1.0.0 ā 6.6.1 |
| **Fixed Version** | 6.6.2 |
| **Privileges Required** | None (preāauthentication) |
| **User Interaction** | None |
| **Attack Vector** | Network |
| **Impact** | Full system compromise (RCE) |
---
## š Description
SP Page Builder exposes the controller task **`asset.uploadCustomIcon`** to handle uploading a custom iconāfont package:
```
index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
```
In vulnerable versions, this task is reachable **without authentication** and **without a valid CSRF token**. It accepts a ZIP archive (multipart field `custom_icon`) and **extracts its contents** into a publicly accessible directory under the web root:
```
/media/com_sppagebuilder/assets/iconfont//
```
Because the endpoint is accessible preāauthentication and the extracted files land in a browsable location, an attacker can upload arbitrary files and execute PHP code by requesting them over HTTP.
### Code Execution Technique
This exploit defeats common serverāside filename filters using:
1. **Caseāsensitive blocklist bypass** ā The filter rejects lowerācase `.php`, `.phtml`, `.phar`, etc., but **does not normalise case**, so `.PHP` and other mixedācase variants are accepted.
2. **Valid iconāfont structure** ā The exploit packages a valid `selection.json`, `style.css`, and `fonts/.ttf` so the upload is accepted.
3. **Shell placement** ā A PHP web shell is written to `fonts/shxt.{ext}` within the extracted archive.
---
## š¦ Features
- **Multiāthreaded** scanning and exploitation (configurable thread count)
- **Automatic URL fixing** ā appends the required endpoint path automatically
- **Dual extension support** ā attempts `.php` and `.PHP` variants
- **Shell verification** ā checks that the uploaded shell is accessible and functional
- **Result logging** ā saves successful shell URLs to `result.txt`
- **Progress tracking** ā displays realātime status and statistics
---
## š Usage
### Requirements
- Python **2.7**
- `requests` library
### Installation
```bash
git clone https://github.com/Jenderal92/CVE-2026-48908
cd CVE-2026-48908
pip install requests
```
Basic Usage
```bash
python2 CVE-2026-48908.py list.txt
```
With Custom Thread Count
```bash
python2 CVE-2026-48908.py list.txt 20
```
Input File Format
list.txt should contain one target URL per line:
```
https://example.com
http://target-site.com/joomla
https://192.168.1.100/joomla
```
Output
Ā· Successful shell URLs are appended to result.txt
Ā· Each line contains the full URL to the uploaded PHP shell
---
āļø How It Works
1. URL Fixing ā Automatically appends index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon if not already present.
2. ZIP Construction ā Creates a valid iconāfont ZIP archive containing the PHP shell at fonts/shxt.{ext}.
3. Upload ā Sends the ZIP via multipart POST to the vulnerable endpoint.
4. Verification ā Checks if the shell is accessible and returns the expected output (presence of "Upload").
5. Logging ā Saves successful shell URLs to result.txt.
Shell Payload
The embedded shell provides:
Ā· Server environment information (php_uname())
Ā· File upload interface for uploading additional files
Ā· Success / failure feedback
---
š”ļø Mitigation
Ā· Upgrade SP Page Builder to version 6.6.2 or newer.
Ā· Audit upload directories for unauthorised files:
Ā· /media/com_sppagebuilder/assets/iconfont/
Ā· Remove any unexpected PHP files found in those directories.
Ā· Review server logs for suspicious POST requests to asset.uploadCustomIcon.
Ā· Deploy a Web Application Firewall (WAF) to block such requests.
---
ā ļø Disclaimer
This tool is for educational and authorised security testing purposes only.
Unauthorised access to computer systems is illegal. The authors assume no responsibility for any misuse or damage caused by this tool. Only use this on systems you own or have explicit written permission to test.
> More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)
---
š References
Ā· [Censys Advisory](https://censys.com/advisory/cve-2026-48908/)
Ā· [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-48908)
Ā· [JoomShaper Security Announcement](https://www.joomshaper.com/)
---
š License
This project is for educational and research purposes only. Use at your own risk.