CVE-2026-48908 / CVE-2026-56290 — two Joomla page-builder extensions hit CISA KEV the same day for unauth file-upload RCE zero-days
Two unrelated third-party Joomla page-builder extensions were both added to CISA KEV on 7 July 2026 for near-identical unauthenticated file-upload-to-RCE flaws, both already exploited as zero-days. CVE-2026-48908 (JoomShaper SP Page Builder, CVSS 10.0, CWE-434) sits in the component's asset.uploadCustomIcon task, reachable at index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon with no authentication and no file-type validation, affecting versions through 6.6.1 (fixed 6.6.2); mySites.guru observed live attacks planting hidden Super Administrator accounts (typically @secure.local) for persistence surviving the entry-point patch (mySites.guru, 2026-07-08). CVE-2026-56290 (Joomlack Page Builder CK, CVSS 10.0, CWE-284) is a front-end upload handler that validated only a CSRF token — no authentication, no authorization — and accepted an attacker-controlled destination folder and filename including the extension, letting a PHP file be written and executed anywhere web-accessible; it affects up to 3.5.10, fixed in 3.6.0 with back-ports to 3.1.1 (Joomla 3) and 3.4.10 (Joomla 4), and the vendor's own suspect-content tooling flagged a live web shell within hours of the fix landing (mySites.guru, 2026-07-07). The Hacker News corroborates both as KEV-listed and actively exploited (The Hacker News, 2026-07-08). Defender takeaway: both extensions are common on small-business, municipal and public-sector Joomla sites across the EU; the transferable lesson is the recurring class — an unauthenticated third-party component endpoint that accepts a file with no type/ownership check — so inventory every page-builder / gallery / form add-on in a Joomla estate, not just these two, and watch access logs for POSTs to component upload tasks returning 200 followed by a GET to a newly-named file.
Already exploited in the wild. The payload plants a hidden Super Administrator account, usually with an @secure.local email.
CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the 'index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon' endpoint.
Defender actions
- Update SP Page Builder to ≥ 6.6.2 and Page Builder CK to ≥ 3.6.0 (or the 3.1.1 / 3.4.10 back-ports) on every Joomla site running them.
- Hunt for newly created Joomla Super User / Super Administrator accounts (especially @secure.local addresses) and web shells written under the site web root; patching the entry point does not remove an already-planted admin account.
Entities & scope
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.