Share
## https://sploitus.com/exploit?id=E2A4520E-343C-5B17-9530-563810F86EA4
# CVE-2026-48908 — SP Page Builder (Joomla) Unauthenticated RCE Exploit

> **Critical** (CVSS v4: 10.0) — Proof-of-concept exploit for unauthenticated remote code execution in SP Page Builder (`com_sppagebuilder`) for Joomla.

---

## šŸ“‹ Vulnerability Overview

| Attribute          | Value                                                           |
|--------------------|-----------------------------------------------------------------|
| **CVE ID**         | CVE-2026-48908                                                  |
| **Severity**       | Critical                                                        |
| **CVSS v4 Score**  | 10.0                                                            |
| **Weakness**       | CWE-284 (Improper Access Control) → Unauthenticated File Upload |
| **Component**      | SP Page Builder (`com_sppagebuilder`) for Joomla                |
| **Affected Versions** | 1.0.0 – 6.6.1                                               |
| **Fixed Version**  | 6.6.2                                                           |
| **Privileges Required** | None (pre‑authentication)                                   |
| **User Interaction** | None                                                          |
| **Attack Vector**  | Network                                                         |
| **Impact**         | Full system compromise (RCE)                                    |

---

## šŸ” Description

SP Page Builder exposes the controller task **`asset.uploadCustomIcon`** to handle uploading a custom icon‑font package:

```

index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon

```

In vulnerable versions, this task is reachable **without authentication** and **without a valid CSRF token**. It accepts a ZIP archive (multipart field `custom_icon`) and **extracts its contents** into a publicly accessible directory under the web root:

```

/media/com_sppagebuilder/assets/iconfont//

```

Because the endpoint is accessible pre‑authentication and the extracted files land in a browsable location, an attacker can upload arbitrary files and execute PHP code by requesting them over HTTP.

### Code Execution Technique

This exploit defeats common server‑side filename filters using:

1. **Case‑sensitive blocklist bypass** – The filter rejects lower‑case `.php`, `.phtml`, `.phar`, etc., but **does not normalise case**, so `.PHP` and other mixed‑case variants are accepted.
2. **Valid icon‑font structure** – The exploit packages a valid `selection.json`, `style.css`, and `fonts/.ttf` so the upload is accepted.
3. **Shell placement** – A PHP web shell is written to `fonts/shxt.{ext}` within the extracted archive.

---

## šŸ“¦ Features

- **Multi‑threaded** scanning and exploitation (configurable thread count)
- **Automatic URL fixing** – appends the required endpoint path automatically
- **Dual extension support** – attempts `.php` and `.PHP` variants
- **Shell verification** – checks that the uploaded shell is accessible and functional
- **Result logging** – saves successful shell URLs to `result.txt`
- **Progress tracking** – displays real‑time status and statistics

---

## šŸš€ Usage

### Requirements

- Python **2.7**
- `requests` library

### Installation

```bash
git clone https://github.com/Jenderal92/CVE-2026-48908
cd CVE-2026-48908
pip install requests
```

Basic Usage

```bash
python2 CVE-2026-48908.py list.txt
```

With Custom Thread Count

```bash
python2 CVE-2026-48908.py list.txt 20
```

Input File Format

list.txt should contain one target URL per line:

```
https://example.com
http://target-site.com/joomla
https://192.168.1.100/joomla
```

Output

Ā· Successful shell URLs are appended to result.txt
Ā· Each line contains the full URL to the uploaded PHP shell

---

āš™ļø How It Works

1. URL Fixing – Automatically appends index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon if not already present.
2. ZIP Construction – Creates a valid icon‑font ZIP archive containing the PHP shell at fonts/shxt.{ext}.
3. Upload – Sends the ZIP via multipart POST to the vulnerable endpoint.
4. Verification – Checks if the shell is accessible and returns the expected output (presence of "Upload").
5. Logging – Saves successful shell URLs to result.txt.

Shell Payload

The embedded shell provides:

Ā· Server environment information (php_uname())
Ā· File upload interface for uploading additional files
Ā· Success / failure feedback

---

šŸ›”ļø Mitigation

Ā· Upgrade SP Page Builder to version 6.6.2 or newer.
Ā· Audit upload directories for unauthorised files:
  Ā· /media/com_sppagebuilder/assets/iconfont/
Ā· Remove any unexpected PHP files found in those directories.
Ā· Review server logs for suspicious POST requests to asset.uploadCustomIcon.
Ā· Deploy a Web Application Firewall (WAF) to block such requests.

---

āš ļø Disclaimer

This tool is for educational and authorised security testing purposes only.

Unauthorised access to computer systems is illegal. The authors assume no responsibility for any misuse or damage caused by this tool. Only use this on systems you own or have explicit written permission to test.

 > More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)
---

šŸ“š References

Ā· [Censys Advisory](https://censys.com/advisory/cve-2026-48908/)
Ā· [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-48908)
Ā· [JoomShaper Security Announcement](https://www.joomshaper.com/)

---

šŸ“„ License

This project is for educational and research purposes only. Use at your own risk.