Skip to content

CVE lookup

CVE-2026-48908

Pruva has a verified reproduction for CVE-2026-48908: SP Page Builder for Joomla allows unauthenticated arbitrary file upload via asset.uploadCustomIcon, enabling PHP upload and remote code execution.. The canonical evidence record is REPRO-2026-00269.

REPRO

REPRO-2026-00269

Package

SP Page Builder (com_sppagebuilder) · Joomla extension

Severity

CRITICAL

Status

published