๐ฅ This vulnerability is being actively exploited in the wild (CISA Known Exploited Vulnerabilities catalog)
CVE-2026-48908: JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
Summary
JoomShaper SP Page Builder has a vulnerability that allows anyone to upload dangerous files, including PHP code (executable website scripts), without needing to log in first. This could let attackers run their own code on a website using this plugin.
Solution / Mitigation
Apply mitigations according to vendor instructions while following CISA's BOD 26-04 guidance for security updates. If mitigations are unavailable, discontinue use of the product. Organizations must evaluate their internet exposure and ensure adherence to BOD 26-04 patching guidelines by the due date of 2026-07-10.
Vulnerability Details
EPSS: 0.8%
Yes
๐ฅ Actively Exploited
July 6, 2026
Classification
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-48908
First tracked: July 7, 2026 at 02:01 PM
Classified by LLM (prompt v3) ยท confidence: 95%