JoomShaper SP Page Builder CVE-2026-48908: CISA KEV Patch Guide

CISA added JoomShaper SP Page Builder CVE-2026-48908 to KEV. Back up Joomla sites, update to 6.6.2+, and review for compromise.
JoomShaper SP Page Builder CVE-2026-48908 KEV defensive patch checklist

Update: CISA added CVE-2026-48908 for JoomShaper SP Page Builder to the Known Exploited Vulnerabilities catalog on July 7, 2026. Joomla site owners should patch this as urgent extension maintenance.

What Changed

CISA lists CVE-2026-48908 as a KEV item with a July 10, 2026 due date. The CVE record describes an unauthenticated arbitrary file upload issue that can result in remote code execution. CISA currently lists ransomware campaign use as unknown.

The Joomla Project CNA lists affected SP Page Builder versions as 1.0.0 through 6.6.1. Official JoomShaper and Joomla extension-directory pages list version 6.6.2 with a security fix for upload handling, so affected sites should update to 6.6.2 or later.

Who Should Check

  • Any Joomla site with SP Page Builder installed.
  • Older agency sites where the builder was installed years ago and no longer appears in normal maintenance notes.
  • Hosting accounts that show recent unexpected files, unknown Super User accounts, changed templates, or unexplained outbound mail.
  • Sites that were temporarily protected with a WAF rule but have not actually updated the extension.

Patch First

  1. Take a current file and database backup.
  2. Confirm whether SP Page Builder is installed and record its version.
  3. Update SP Page Builder to 6.6.2 or later through the Joomla updater or a clean vendor package.
  4. Clear Joomla, server, and CDN cache after the update.
  5. Verify the extension version and test core pages that depend on SP Page Builder layouts.

Review For Compromise

After the update, review administrator users, recent file changes, changed templates, suspicious scheduled jobs, and unexpected executable files in writable web folders. Patching closes the vulnerable software path, but it does not remove an attacker who already gained access before the patch.

Hosting Admin Notes

For shared hosting and managed Joomla fleets, prioritize sites where SP Page Builder is installed and internet-facing. Notify customers, run extension inventory checks, and document any site that cannot move to 6.6.2 or later. Use temporary server-side restrictions only as a bridge to patching and cleanup.

Sources

Picture of admin

admin

Leave a Reply

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.