Introduction

NC4, (NACSA), has observed multiple attacks and incidents involving CVE-2026-48908, a critical improper access control vulnerability (CWE-284) in the SP Page Builder extension for Joomla.

The vulnerability allows an unauthenticated remote attacker to abuse the custom icon upload function to upload and execute arbitrary PHP code, resulting in pre-authentication remote code execution on the affected web server.

Impact

Remote code execution: Successful exploitation grants full arbitrary PHP code execution on the affected web server.

Persistent backdoor: Attackers can drop a web shell, establishing persistent unauthorised access.

Full server compromise: Code execution can lead to data theft, defacement, lateral movement, and complete takeover of the hosting environment.

Confidentiality, integrity, and availability of the affected system and its hosted data are all potentially at risk.

Affected Product

Affected product: SP Page Builder extension for Joomla from joomshaper.net

Affected versions: 1.0.0 to 6.6.1

Recommended version: 6.6.2 or later

Risk level: Critical (CVSS 10.0)

Recommendation

Immediate (Patch)

Update SP Page builder to version 6.6.2 without delay on all Joomla installations.

For older deployments that cannot meet the requirements of 6.6.2, or upgrading is not immediately possible, restrict access to the upload functionality so that only authenticated administrators can use it.

Hardening / Mitigation

Restrict web server access to the /tmp/ directory and prevent PHP execution in temporary/upload directories at the web server level.

Optionally deploy a web application firewall rule or intrusion detection system to detect and block suspicious file upload attempts, especially those with PHP extensions.

Restrict upload destinations to directories outside the web root where possible.

Detection / Post-Compromise Forensics

Search web server access logs for suspicious POST requests to SP Page Builder upload paths (e.g. index.php?option=com_sppagebuilder&task=...).

Look for newly created or recently modified PHP files in Joomla media, upload, and /tmp/ directories.

Inspect upload and temporary directories for unexpected content (web shells).

If compromise is confirmed, isolate the host, preserve evidence, and initiate incident response. Assume credential theft and lateral movement until proven otherwise.

Reporting

Malaysian NCII entities affected by this advisory are advised to report indicators or incidents to NC4 as per required under Act 854 for National coordination and intelligence sharing.

References

NVD — CVE-2026-48908    https://nvd.nist.gov/vuln/detail/CVE-2026-48908

OpenCVE – CVE-2026-48908    https://app.opencve.io/cve/CVE-2026-48908

CVE-2026-48908-PoC    https://github.com/papageo75/CVE-2026-48908-PoC