In recent days, Joomla website administrators have been dealing with another extremely serious security issue. Shortly after the critical vulnerability in the JCE editor, which allowed unauthorized uploading of an editor profile and, in the worst case, the upload of malicious files, a similarly dangerous vulnerability has appeared in the SP Page Builder extension.
The vulnerability is registered as CVE-2026-48908 and affects SP Page Builder versions older than 6.6.2. According to the available information, it allows an unauthenticated attacker to upload any file to the website, which may lead to the execution of PHP code on the server and therefore to full control over the compromised website. The vulnerability is rated as critical and represents an immediate security risk for vulnerable installations.
Why the SP Page Builder vulnerability is so dangerous
SP Page Builder is one of the widely used extensions for content creation and visual page building in Joomla. That is why this issue is comparable in severity to the recent JCE vulnerability. This is not just a theoretical weakness in the code. According to security analyses, the vulnerability is already being exploited in practice.
The attack is carried out through the custom icon upload function, specifically through the task:
asset.uploadCustomIconIn vulnerable versions, this function did not perform sufficient access control and file type validation.
In practice, this means that an attacker can upload a malicious PHP file to the website without knowing the password and without access to the administration. Such a file can then serve as a backdoor, file manager, tool for further spreading the attack, or a way to create a hidden administrator account.
JCE and SP Page Builder: two critical vulnerabilities shortly after each other
The recent JCE vulnerability, identified as CVE-2026-48907, involved unauthorized uploading of editor profiles. These profiles could be abused to allow dangerous uploads and subsequently upload malicious files.
The SP Page Builder vulnerability is very similar in its impact. Once again, it involves the possibility of uploading a file without proper authorization. The difference lies only in the specific extension and the abused function. For website owners, however, the result is the same – if the website is vulnerable, it can be compromised even without breaking into the administration account.
Who is affected
The risk applies to Joomla websites with SP Page Builder versions lower than 6.6.2 installed. The fixed version is 6.6.2, in which the developer states that upload endpoints have received a security fix.
Websites that may be particularly at risk include those that:
- use SP Page Builder and have not been updated in recent days,
- run older versions of Joomla and extensions,
- are not regularly monitored,
- do not have an active application firewall,
- or have been running for a long time without technical maintenance.
How to identify a possible compromise
Website administrators should search the logs for requests containing:
option=com_sppagebuilder
task=asset.uploadCustomIconPOST requests ending with the HTTP status code 200 are especially suspicious. It is also advisable to check for newly created PHP files in the images, media, tmp, cache directories and other writable parts of the website.
Security analyses also warn about the possible creation of hidden administrator accounts, for example with email addresses ending in:
@secure.localRecommended steps
All websites using SP Page Builder must be checked immediately and updated to version 6.6.2 or newer. However, the update itself may not be enough if the website has already been compromised. In such a case, a complete security audit is required.
We especially recommend:
- checking the SP Page Builder version,
- updating the extension to the latest available version,
- reviewing access logs and looking for exploitation attempts,
- checking for suspicious PHP files in writable directories,
- reviewing administrator accounts in Joomla,
- checking
.htaccessfiles, templates, plugins and cron jobs, - changing passwords for administrators, FTP/SFTP/SSH and the database if there is any suspicion of compromise.
MyDreams.cz performs Joomla website checks and security hardening
After the recent JCE vulnerability, we have already checked a large number of Joomla websites and, in compromised installations, performed malware removal, updates and additional security hardening. We are now checking for vulnerable SP Page Builder installations with the same priority.
For newer Joomla websites, we recommend updating the component to the latest version. For older websites, where a simple update is no longer possible due to outdated PHP, templates or incompatible extensions, an individual approach is required – from temporary blocking of the vulnerable endpoint, through installing a security firewall, to replacing or removing the problematic extension.
Conclusion
Within a short period of time, two very serious vulnerabilities have appeared in popular Joomla extensions – first JCE and now SP Page Builder. Both vulnerabilities share one dangerous feature: the possibility of exploitation without login and the potential upload of malicious code to the server.
That is why we recommend not waiting until the problem becomes visible through an obvious website compromise. With vulnerabilities of this kind, attackers often first create a backdoor, while the website may continue to appear completely normal for some time. Regular maintenance, updates and log monitoring are currently the most effective protection.
If you operate a Joomla website and are not sure whether you are using a vulnerable version of SP Page Builder or JCE, we recommend carrying out a security check as soon as possible.