Detect CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload in Splunk
Detects exploitation of CVE-2026-48908, an unrestricted file upload vulnerability (CWE-434) in JoomShaper SP Page Builder for Joomla. Attackers can upload files with dangerous types (e.g., PHP webshells) through the page builder interface, leading to remote code execution. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=web OR index=iis OR index=proxy
| eval uri=coalesce(uri_path, cs_uri_stem, request, url)
| eval method=coalesce(http_method, cs_method, method)
| eval status=coalesce(status, sc_status, http_response_code)
| eval src_ip=coalesce(src_ip, c_ip, clientip, src)
| where match(uri, "(?i)/components/com_sppagebuilder")
| where method="POST"
| where status IN ("200", "201", "202")
| eval body=coalesce(request_body, cs_uri_query, post_data, "")
| eval filename=if(match(body, "(?i)filename"), rex(body, "filename[^=]*=\s*[\"']?(?P<extracted_filename>[^\"\'\r\n;]+)"), "")
| eval file_ext=lower(rex(coalesce(filename, uri), "\.(?P<ext>php\d?|phtml|phar|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)$"))
| where isnotnull(file_ext) AND file_ext!=""
| eval cve="CVE-2026-48908"
| eval risk_score=90
| eval mitre_technique="T1190,T1505.003"
| stats count AS upload_attempts, values(file_ext) AS dangerous_extensions, values(uri) AS upload_uris, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, status, cve
| where upload_attempts >= 1
| sort -upload_attempts Detects POST requests to SP Page Builder component paths containing dangerous file extensions, indicating potential exploitation of CVE-2026-48908 unrestricted file upload vulnerability.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized Joomla administrators uploading media files through SP Page Builder that may have ambiguous filenames
- File upload from known internal IP ranges performing legitimate content management
- Automated content management scripts that post to Joomla component endpoints
Other platforms for CVE-2026-48908
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated PHP Webshell Upload via SP Page Builder
Expected signal: Web server access log entry: POST /index.php?option=com_sppagebuilder&task=file.upload HTTP/1.1 200; multipart/form-data body containing filename=shell.php with PHP content
- Test 2Double Extension Bypass Upload Attempt
Expected signal: POST request to SP Page Builder upload endpoint with filename containing double extension (.php.jpg); web server logs showing 200 response and file write event to upload directory
- Test 3Webshell Execution Verification Post-Upload
Expected signal: Web server access log entries: GET /images/shell.php HTTP/1.1 200; process execution events showing php-fpm or apache spawning child processes (id, hostname, uname); potential outbound network connections from web server process
References (4)
- https://extensions.joomla.org/extension/sp-page-builder/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48908
Unlock Pro Content
Get the full detection package for CVE-2026-48908 including response playbook, investigation guide, and atomic red team tests.