Site icon Fix I.T. Phill – Your Go-To Tech Guru

JoomShaper SP Page Builder CVE-2026-48908: CISA KEV Patch Guide

JoomShaper SP Page Builder CVE-2026-48908 KEV defensive patch checklist

JoomShaper SP Page Builder CVE-2026-48908 KEV defensive patch checklist

Update: CISA added CVE-2026-48908 for JoomShaper SP Page Builder to the Known Exploited Vulnerabilities catalog on July 7, 2026. Joomla site owners should patch this as urgent extension maintenance.

What Changed

CISA lists CVE-2026-48908 as a KEV item with a July 10, 2026 due date. The CVE record describes an unauthenticated arbitrary file upload issue that can result in remote code execution. CISA currently lists ransomware campaign use as unknown.

The Joomla Project CNA lists affected SP Page Builder versions as 1.0.0 through 6.6.1. Official JoomShaper and Joomla extension-directory pages list version 6.6.2 with a security fix for upload handling, so affected sites should update to 6.6.2 or later.

Who Should Check

Patch First

  1. Take a current file and database backup.
  2. Confirm whether SP Page Builder is installed and record its version.
  3. Update SP Page Builder to 6.6.2 or later through the Joomla updater or a clean vendor package.
  4. Clear Joomla, server, and CDN cache after the update.
  5. Verify the extension version and test core pages that depend on SP Page Builder layouts.

Review For Compromise

After the update, review administrator users, recent file changes, changed templates, suspicious scheduled jobs, and unexpected executable files in writable web folders. Patching closes the vulnerable software path, but it does not remove an attacker who already gained access before the patch.

Hosting Admin Notes

For shared hosting and managed Joomla fleets, prioritize sites where SP Page Builder is installed and internet-facing. Notify customers, run extension inventory checks, and document any site that cannot move to 6.6.2 or later. Use temporary server-side restrictions only as a bridge to patching and cleanup.

Sources

Exit mobile version