While awaiting feedback, I'd like to point out that I was able to patch the solution by configuring the server

Hi,

Thank you for your detailed report and for following a responsible disclosure process.

We have forwarded the information you provided to our development and security teams for further review and investigation. We appreciate the time and effort you invested in documenting the issue, as well as the additional context regarding observed activity and your mitigation measures.

Our team will carefully assess the reported behavior, including the points related to authentication, CSRF protection, and file extraction validation. If any additional information, logs, or samples are required during the review process, we will contact you directly.

Thank you again for bringing this matter to our attention and for your patience while the investigation is underway. We will provide an update as soon as we receive feedback from the development team.

Best regards,

Hello,

Could you please delete this post or make it private? We have identified the issues and our team is actively working on a fix.

Thank you for your consideration and support.

Best regards,

BTW

and after please check today's update.

Hi,

Thank you for the quick turnaround and for taking this security report seriously.

I have important requests before saying big thanks to you,

please cut details from last message and paste them inside "Hidden Content" area, as you did before.

not everyone updated SPPB so far, and "bots/bad people" also read what they can... and hidden content is seeing only by you and support team.

Hi,

Thank you for reporting this.

We have a website that appears to have been compromised, and Imunify360 detected several suspicious scripts and removed them from the server. Since SP Page Builder is installed on the site, we are concerned this may be related to the vulnerability described here.

Could you please provide guidance for affected users on what steps we should take next to ensure the site is safe?

Specifically, we would like to know:

• Which files, folders, database tables, or settings should we check?
• Is simply removing the detected scripts enough, or should we assume that admin users, passwords, API keys, or database content may also be compromised?

We would appreciate clear remediation steps for affected users, including what should be changed, cleaned, reinstalled, or audited after detection of suspicious scripts.

Best regards.

My site was comprimised. I patched my NGINX configuration and installed the latest SP PB Update.

I found following to delete:

• About 10 Superusers where added, they could be deleted in the Admin interface
• Two site Templates where installed, they could be erased in the Amin interface
• Several entries where installed under /media/com_sppagebuilder/assets, these had to be removed from the CLI
• Several entries where installed in Individual icons, these could be deleted in the Page Bauilder settings interface

I also checked the database for suspect entries but did not find any.

I am not posting this to expose anybody, I am posting this to help other possible victims to clean up their systems. Please followup any additional hints or which places I have missed to search.

Hi Thomas,

it was fixed in today update (as urgent morning task). We will do more penetration tests in the next few days, and to harden SPPB even more.

1. Have you had/have also old JCE editor ?
2. If this site is important, consider also using extra firewall component, it's always extra wall with archers (!)
3. Block IP that tried doing bad things. Some hosting panels allows that. You have full right to do that.

Hi Marin,

you have to scan whole site. Later check also others on the same server.

For sure delete all .shtml files that you may have in root folder.

To scan website use:

• Imunify360 or similar software from your Hosting Panel. The premium version also allows you to clean malware files in two clicks.
• OR, just ask hosting company if you don't have access to any antivirus in Panel to scan site for you.
• Manually check all major folders for extra index.php and .htaccess files that shouldn't be there.
• Use Firewall component for Joomla to scan site deeply
• Clear content of /tmp and /cache folder from Joomla, keep only index.html file.
• Check folders: /images/and /media/ there shouldn't be any .php file, if you have any - Delete it (!)
• Reinstall Joomla core files (important step!)
• Reinstall Template core files (important step!)
• Update extensions if you forgot about any, focus on JCE etc.
• Check used extensions, maybe one or two of them you don't need anymore, and you can uninstall it.
• Force-logout all sessions
• Clear Trash in Hosting Panel (hosting account).
• Configure Apache and ModSecurity to strictly deny PHP execution inside /images/ and /media/ directories, rendering any uploaded webshell inert.

Those are also malware files, but in "hidden/cheat mode" (example from JCE case)

As an additional security measure, would it be helpful (or would it have been helpful in this case) to password-protect the “/administrator” directory from the hosting control panel?

David, against that, it will not help; it's only against typical guessing login & password bots or humans. But it's good to have it anyway.

Thomas,

when I check my Joomla firewall logs I also see requests to wordpress plugins very often ;] bots are "blind" but trying anyway.

On Linux level - great solution before touching the Joomla/WP code. But as I know, Imunify360+ have it already, but it's extra software for Hosting Panel.

For Joomla there are firewalls (premium) that block IP after doing bad requests.

Hello, I've had six websites attacked. Fortunately, I realized it quickly and they only uploaded files. What's disturbing is that the attacks happened so quickly. One day was enough for the websites to be infected.

It takes a minute... if somebody has a ready script for a dedicated hole. Even current verison of Joomla and PHP won't help. The same problem was with the JCE hole, it was crazyness in last week. Hopefully Firewalls may lock some requests and delay "hacking" process.

If you have skills and good tool you can open almost any lock in seconds, like on movies.

I have found on one of my sites only this: assets\iconfont\codexsppb1bd2add5\font\codex-sppb-d1a93331.php

I have made a copy but my BitDefender has removed it.

assets\iconfont\codexsppb1bd2add5\font\codex-sppb-d1a93331.php is malware of type Generic.PHP.WebShell.X.D4821E87

I found dozens of files removed by Imunify360 (around 70 files in total). They were all located in the /tmp and /media directories. I also found dozens of icon packages that had been added to SPPB.

I first learned about the malware scripts from my hosting provider, and I'm glad they are doing an excellent job monitoring and handling these issues. Since updating the system, I haven't seen any new incidents reported by Imunify360.

My main concern now is whether the attackers managed to steal any sensitive data, such as database usernames and passwords, Joomla administrator credentials, or other information.

I have the same issue. I've found that the intruder has successfuly created power users after uploading malicious files to the server. The latest version resolves this security hole?

So far my V6 sites are clean and patched but i have a lot of older sites with older versions (pre V6) which i cant update to the latest version because they just wont. How much of an issue are these currently?

Hi Joomshaper team, please can you specify which SPPB version are affected? I have some sites still running on v3.8.10 which are not ready for update to latest security patch.

Richard, extra good news:

Today's version of RsFirewall 3.3.7 added Protection against SP Page Builder < 6.6.2 vulnerability. It's very useful if you have to keep old SPPB 5.x and somehow you cannot use new SPPB 6.6.2.

If your sites and installed SPPB don't have Custom Icon feature, nothing to worry about.

@Marin , about 2nd topic, hard to say, in most cases they don't care. They want to grab the website and use for ads purpose , like wall of your home to put banners and earn money on it when you are on vactions. Or just "hacked" check, next please.

But it's always recommended to do the basic steps:

1. Remove Joomla Admin accounts that are not created by You.
2. Change all passwords (Joomla Users). You can also change login name as well.
3. Change Database User password (and update configuration.php file after)
4. Check IP that was used to hack site, lock it. Check server logs.

Then they will not return even knowing old "data".

From what I saw in my private server & firewall logs, there are more requests to old version of JCE than SPPB. So don't forget about JCE update as well.

W ukrytej wiadomości info.

Niektóre firmy hostingowe mają systemy do wykrywania malware i informują klientów nim zablokują www, a inne nie. Byłem ciekawy. dzieki.

I think this thread should be marked as “Featured,” considering the importance of the topic.

Security news & updates:

• iCagenda 4.0.8 (Security Release, J5, J6), Fixed: a full unauthenticated remote code execution
• iCagenda 3.9.15 (Security Release for Joomla 3), also Zero Day Vulnerability
• Novarain/Tassos Framework plugin version below 6.1.0 for Joomla

Unpublishing the component does not protect you (!) you have to update or uninstall it.

Are you releasing a patch for older 3.x and 5.x versions of PageBuilder for those that can't upgrade to version 6 (similar to how JCE released a patch for older versions)?

Struggling to get the latest update 6.6.2 to install on any sites

6 hours ago the attackwave started. i was lucky to had Admin Tools running so i got a notification and more lucky to see the alarm the minute it happened. in minutes all my websites were hacked. with a little less luck this would have been a disaster. Blocked assess, deleted the created admin users and the deinstall the malicious template files they installed. 6 hours additional work and as i said that was the lucky part. edit: seems like thats not enough. :(

For those that arent aware mysites.guru clocked this one and the JCE vulnerability early doors and provided simple means to update all sites. Saved my bacon several times, very much recommended. He has already warned there is another one coming ....

The opening post contains a small error. I was clearly referring to version 6.6.1, not 6.1.1, but the forum won't allow me to correct it. It's good to have quickly discovered the security flaw and reported it, with prompt response.

Hi yes I got that, but problem now is the latest security update of 6.6.2 wont install on any of my sites

Just informed support of an issue with the installer on 6.6.2, we used Codex to come up with a workaround.

One of my clients called because their site had been compromised. They discovered a new superuser account, @secure.local, which had been registered on June 14th. We proceeded to install the latest version of SPPB.

We checked the supposed locations where PHP and HTML files might be stored, even posting the code snippet on MySitesGuru. We searched everywhere and found nothing.

So the question for everyone here is: how was the superuser account created? Because it's assumed they first uploaded PHP files using the vulnerability in icon uploads.

I look forward to your opinions.

Regards

@Paul

Not really, I updated 35+ websites just clicking update in J! admin, 4 different servers. On one of them have Plesk, too. Check if you can update other extensions, ask hosting support etc.

@Alvaro, please read technical details >> https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/

and then scroll up and find my post here with "To scan website use:" and follow the steps.

Yes, if somebody uploaded a php file with good code (tool) he can do almost anything, like 007 from James Bond movies.

For sure delete those fake accounts, etc.

I have checked my raw access logs. Found only this:

Line 2410308: 45.192.213.29 - - [14/Jun/2026:18:14:28 +0200] "POST /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon HTTP/1.1" 200 457 "-" "sppb660-batch/1.0"

Line 2410310: 45.192.213.29 - - [14/Jun/2026:18:14:28 +0200] "GET /media/com_sppagebuilder/assets/iconfont/codexsppb1bd2add5/font/codex-sppb-d1a93331.php HTTP/1.1" 404 976 "-" "sppb660-batch/1.0"

So It seems the execution of the file was blocked.

I haven't found any other files. There have been a custom icon in SP Page Builder but I have deleted it.

Thanks for marking this as Featured.

I am having some joomla 3.10.12 running with SP Pae builder Pro version 3.8.10 do i have also for these to install the latest version in order not to be comprimised? i am asking this that maybe the latest version is not 100% compatible with Joomla 3.10.12 and php 7.4 Don;t judge me for having old version sites , customers are not all the time willing to pay for the upgarde Thank you in advance

@Pantelis, I responded in that topic above (scroll up), but also in details here: https://www.joomshaper.com/forum/question/45163

I know, everone has its own reasons, but risk is also yours!

Got one site that had a login:

• User webmanager83 has logged in to admin

• User webmanager83 has installed template tmpl_dfgklc

• User webmanager83 has logged in to admin

• User webmanager83 has installed template tmpl_boiklx

updated and removed the user. uninstalled the iconmanager files in backend (php files) and through ftp, checked all files and lookes like everything else haven't been touched or added.

Changed my Joomla admin pass and logged into the direct admin on thehosting and checked the log files. No logins/changes the last weeks. Can't find other weird files on the server. I will keep monitoring this site and when there is a login of new files I will change everything with a backup from 2 weeks ago. I will ask the host to check the files also.

Info for everyone:

Using file manager or similar tool, search for content "secure.local" inside the root folder of the website and if you find any files delete them.

Search for content "uploadCustomIcon", "POST /index.php?option=com_jce", "x.xml", ".xml.php", "g.php" in your logs folder to check whether the website was compromised (clarification: not joomla logs folder! Your web server logs folder).

Check for ".php.gif" files. Clear cache and tmp folders. Check for rogue users and especially power users and delete them.

Even better: Restore site two-three weeks prior. Then update the affected extensions (JCE, Pagebuilder) or remove them if you don't use them.

The malicious file shows the entire configuration.php file to the hackers, so you must change db user passwords in any case.

Extra notice, if in an act of desperation you decided to "Restore website from older backup" - first delete current site, becuase some malware files can be hidden deeply (.)(.). Only on clean root (public_html) you can recover site from backup. Scan recovered backup files as well.

Don't forget to check cassiopea index file. I've found malicious code at the end - in hidden content for reference.