SP Page Builder Security Notice
If you received an email from me pointing you to this page, it is because your website
appears to be running a vulnerable version of SP Page Builder (JoomShaper’s
com_sppagebuilder), a page-builder extension for the Joomla content management system.
This page explains why that matters and how to fix it.
This notice concerns CVE-2026-48908, a critical (CVSS 10.0), actively exploited flaw that allows unauthenticated remote code execution through the extension’s custom-icon upload feature. It affects SP Page Builder versions 1.0.0 through 6.6.1 and is fixed in 6.6.2. If you are running an affected version, upgrade to SP Page Builder 6.6.2 or later as soon as possible. Because this was exploited as a zero-day, you should also check your site for signs of compromise (see If you were on an affected version below).
This is an extension flaw, not a Joomla core flaw. It affects sites on Joomla 3, 4, 5, and 6 alike: a fully up-to-date Joomla core does not protect you if the SP Page Builder extension itself is out of date.
Is this message legitimate?
Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it, upload anything, or exploit anything.
All I did was look at publicly visible files that your website serves to every visitor (the same way your homepage is public) and note the version number that the SP Page Builder extension publishes in those files. I specifically did not touch the vulnerable upload feature. Nothing about this check touches your data, your admin area, or any private part of your site.
If you would like to verify who I am, see the contact details at the bottom of this page and the About page.
Why this matters
SP Page Builder is a very widely used drag-and-drop page builder for Joomla. In affected versions, a feature meant to let administrators upload a custom icon set can be reached without logging in and without any security token, and it does not properly check what kind of file is being uploaded. That combination lets an attacker upload a program of their choosing and run it on your server: full remote code execution.
This is not a theoretical risk. The flaw was scored 10.0 out of 10, was exploited in the wild as a zero-day, and was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog on 7 July 2026, with a federal patching deadline of 10 July 2026. Real-world attacks using this flaw have installed hidden administrator accounts and web-based backdoors for persistent access.
If my email cited this issue, it means the version your site reports falls within the affected range. I did not test whether your particular site is exploitable or already compromised, only that it reports an affected version.
The good news: updating to a fixed version closes the hole, and the update is straightforward.
How to check your version
You do not have to take my word for which version you are running.
From the public manifest (no login needed): open
yourdomain.com/administrator/components/com_sppagebuilder/sppagebuilder.xml in a browser.
The <version> line is the version your SP Page Builder install reports, and this is the
same public file I read.
From the admin area (if you have access):
- Log in to your Joomla administrator (usually at
yourdomain.com/administrator). - Go to System then Manage then Extensions (or Extensions then Manage, depending on your Joomla version).
- Search for SP Page Builder and note the installed version.
If the version is 6.6.1 or lower, you are on an affected version and should upgrade. 6.6.2 and later are fixed.
How to upgrade
The safest path is to update through Joomla itself, and to back up first:
- Back up your site (files and database) before making changes. Most hosting providers offer one-click backups, or use a Joomla backup extension.
- In the Joomla admin, open Extensions then Manage then Update, and click Find Updates. If an SP Page Builder update is listed, install it from here.
- If no update appears there, download the latest release directly from the vendor, JoomShaper, at https://www.joomshaper.com/page-builder and install it via Extensions then Install.
- After upgrading, confirm the new version number (6.6.2 or later) using the steps above, and check that your site loads and edits normally.
While you are in there, it is worth confirming that Joomla itself and your other extensions are up to date, since the same principle applies to all of them.
If you were on an affected version
Because this flaw was exploited before a fix was available, a site that ran an affected version should not assume that simply updating is enough. You should also check whether the site was already broken into. Publicly documented attacks using this vulnerability have left behind these traces, which you (or your webmaster) can look for on your own site:
- Rogue administrator accounts. Attackers created hidden Super User accounts, often
with email addresses ending in
@secure.localand usernames such aswebeditor,contentmgr,sysadmin,webmaster,portaladmin,siteeditor,webmanager, orcmsadmin(frequently with two digits on the end, e.g.webeditor48). Review your user list in Users then Manage and remove any you do not recognize. - Backdoor files. Unexpected PHP files under
/media/com_sppagebuilder/assets/iconfont/, or stray files such as/media/com_admin/users.phpor/media/regularlabs/users.php. A common backdoor identifies itself with the text “PHP File manager” inside the file.
If you find any of these, treat the site as compromised: remove the rogue accounts and files, rotate all credentials (Joomla admin, database, FTP/SSH, hosting panel), force all users to log back in, and consider restoring from a known-good backup taken before the intrusion. If your organization has an IT security team or a national CERT, loop them in.
I want to be clear: I have not checked your site for any of these indicators, and I do not know whether your site was affected. This list is here so you can check for yourself.
I do not have a webmaster / I am stuck
If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.
If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.
Contact
Evan Harris, Security Researcher
- Email: security@mail.mcpsec.dev
- X: @Evan__Harris
- GitHub: eharris128
- LinkedIn: Evan Harris
I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.
References
Official advisories and tracking
- NVD entry (CVE-2026-48908)
- GitHub Advisory Database (GHSA-8fwr-8fxr-8v2p)
- CISA Known Exploited Vulnerabilities catalog
- CISA alert (7 July 2026)
Vendor (JoomShaper)
Reporting and analysis