CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload
Detects exploitation of CVE-2026-48908, an unrestricted file upload vulnerability (CWE-434) in JoomShaper SP Page Builder for Joomla. Attackers can upload files with dangerous types (e.g., PHP webshells) through the page builder interface, leading to remote code execution. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- JoomShaper
- Product
- SP Page Builder
Weakness (CWE)
Timeline
- Disclosed
- July 7, 2026
References & Proof of Concept
- https://extensions.joomla.org/extension/sp-page-builder/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48908
What is CVE-2026-48908 CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload?
CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload (CVE-2026-48908) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload, covering the data sources and telemetry it touches: Azure Application Gateway Logs, IIS W3C Logs, WAF/Proxy Logs, CommonSecurityLog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
union
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s matches regex @"(?i)/components/com_sppagebuilder/.*upload"
| where httpStatus_d in (200, 201, 202)
| extend FileName = extract(@"filename[^;\r\n]*;[\s]*filename[^;\r\n]*=[\s]*([^;\r\n]*)", 1, tostring(requestBody_s))
| extend FileExt = extract(@"\.(php\d?|phtml|phar|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)$", 0, tolower(FileName))
| where isnotempty(FileExt)
| extend AlertDetail = strcat("Dangerous file upload via SP Page Builder: ", FileName)
| project TimeGenerated, requestUri_s, clientIP_s, FileName, FileExt, AlertDetail
),
(
W3CIISLog
| where csUriStem matches regex @"(?i)/components/com_sppagebuilder"
| where csMethod == "POST"
| where scStatus in (200, 201)
| extend SuspiciousExt = extract(@"(?i)\.(php\d?|phtml|phar|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)", 0, csUriQuery)
| where isnotempty(SuspiciousExt)
| project TimeGenerated, cIP, csUriStem, csUriQuery, scStatus, SuspiciousExt
),
(
CommonSecurityLog
| where DeviceVendor == "Imperva" or DeviceVendor == "F5"
| where RequestURL matches regex @"(?i)/components/com_sppagebuilder.*upload"
| where RequestMethod == "POST"
| where AdditionalExtensions matches regex @"(?i)\.(php|phtml|phar|asp|aspx|jsp)"
| project TimeGenerated, SourceIP, RequestURL, RequestMethod, AdditionalExtensions
)
| extend CVE = "CVE-2026-48908"
| extend Tactic = "Initial Access / Execution"
| extend RiskScore = 90 Detects HTTP POST requests to SP Page Builder upload endpoints containing dangerous file extensions (PHP, ASP, JSP, etc.) indicating potential webshell upload exploitation of CVE-2026-48908.
Data Sources
Required Tables
False Positives
- Legitimate administrative file uploads by Joomla administrators using SP Page Builder for authorized content
- Security scanning tools performing vulnerability assessments against the Joomla installation
- Penetration testing activities against the web application with prior authorization
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload (CVE-2026-48908) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48908
References (4)
- https://extensions.joomla.org/extension/sp-page-builder/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48908
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated PHP Webshell Upload via SP Page Builder
Expected signal: Web server access log entry: POST /index.php?option=com_sppagebuilder&task=file.upload HTTP/1.1 200; multipart/form-data body containing filename=shell.php with PHP content
- Test 2Double Extension Bypass Upload Attempt
Expected signal: POST request to SP Page Builder upload endpoint with filename containing double extension (.php.jpg); web server logs showing 200 response and file write event to upload directory
- Test 3Webshell Execution Verification Post-Upload
Expected signal: Web server access log entries: GET /images/shell.php HTTP/1.1 200; process execution events showing php-fpm or apache spawning child processes (id, hostname, uname); potential outbound network connections from web server process
Unlock Pro Content
Get the full detection package for CVE-2026-48908 including response playbook, investigation guide, and atomic red team tests.