🔴 Critical | Source: CISA Known Exploited Vulnerabilities
A critical vulnerability in the JoomShaper SP Page Builder plugin for Joomla allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts, which can then be executed on the server. This effectively grants full remote code execution to anyone with network access to the site, requiring no credentials whatsoever. CISA has added this to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild.
Security Architect’s Take: Any internet-facing Joomla instance running SP Page Builder should be patched immediately or taken offline; additionally, review web server configurations to ensure uploaded file directories are non-executable, and implement a web application firewall (WAF) rule to block unauthenticated file upload requests as an interim control.
Original advisory: CVE-2026-48908: JoomShaper SP Page Builder