CVE-2026-48908 IBM QRadar · QRadar

Detect CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload in IBM QRadar

Detects exploitation of CVE-2026-48908, an unrestricted file upload vulnerability (CWE-434) in JoomShaper SP Page Builder for Joomla. Attackers can upload files with dangerous types (e.g., PHP webshells) through the page builder interface, leading to remote code execution. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  "Method" AS http_method,
  "Response Code" AS http_status,
  EXTRACT(URL, 'filename=([^&;\r\n]+)') AS uploaded_filename,
  EXTRACT(URL, '\.(php\d?|phtml|phar|asp|aspx|jsp|cgi|pl|py|sh)$') AS dangerous_ext,
  'CVE-2026-48908' AS cve_id,
  90 AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Nginx', 'F5 BIG-IP', 'Imperva SecureSphere')
  AND LOWER(URL) LIKE '%/components/com_sppagebuilder%'
  AND "Method" = 'POST'
  AND "Response Code" IN ('200', '201', '202')
  AND (
    LOWER(URL) MATCHES REGEX '.*\.(php\d?|phtml|phar|asp|aspx|jsp|cgi|pl|py|sh|bash).*'
    OR LOWER("Request Body") MATCHES REGEX '.*filename.*\.(php\d?|phtml|phar|asp|aspx|jsp).*'
  )
LAST 1 HOURS
ORDER BY event_time DESC
critical severity medium confidence

QRadar AQL query identifying POST requests to JoomShaper SP Page Builder component endpoints containing dangerous file extensions, correlating with CVE-2026-48908 exploitation patterns.

Data Sources

Web Server LogsWAF LogsNetwork Flow Records

Required Tables

events

False Positives & Tuning

  • Administrative users uploading allowed media file types where the URL encoding mimics dangerous extensions
  • Vulnerability scanners probing the endpoint without completing a successful upload
  • Log parsing errors causing benign URLs to appear to match the dangerous extension pattern

Other platforms for CVE-2026-48908


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PHP Webshell Upload via SP Page Builder

    Expected signal: Web server access log entry: POST /index.php?option=com_sppagebuilder&task=file.upload HTTP/1.1 200; multipart/form-data body containing filename=shell.php with PHP content

  2. Test 2Double Extension Bypass Upload Attempt

    Expected signal: POST request to SP Page Builder upload endpoint with filename containing double extension (.php.jpg); web server logs showing 200 response and file write event to upload directory

  3. Test 3Webshell Execution Verification Post-Upload

    Expected signal: Web server access log entries: GET /images/shell.php HTTP/1.1 200; process execution events showing php-fpm or apache spawning child processes (id, hostname, uname); potential outbound network connections from web server process

Unlock Pro Content

Get the full detection package for CVE-2026-48908 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections