Hello JoomShaper Support Team,
I am writing to report a security issue I discovered on multiple Joomla websites I manage, all running SP Page Builder version 6.6.2.
Despite updating to version 6.6.2 — which is supposed to include the fix for CVE-2026-48908 — I found that the file:
administrator/components/com_sppagebuilder/editor/traits/IconsTrait.php
...was still missing the authentication check in the uploadIcons() function. In other words, the function was still accessible without any login, exactly as described in the CVE.
What I observed in the access logs:
An automated bot was actively exploiting the asset.uploadCustomIcon endpoint with the following pattern:
POST /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon HTTP/1.1 → 200
GET /media/com_sppagebuilder/assets/iconfont/ico[random]/fonts/[random].PHP → 403
The bot (user-agent: "sppb-rce-poc") was uploading ZIP archives containing PHP webshells into publicly accessible directories under /media/com_sppagebuilder/assets/iconfont/. The webshells were structured to execute OS commands if reached via HTTP.
Fortunately, execution was blocked by an .htaccess rule I had in place. However, the file upload itself was still succeeding (HTTP 200), meaning the vulnerable endpoint was fully reachable despite running version 6.6.2.
After inspecting the IconsTrait.php file directly on the server, I confirmed it did not contain the Factory::getUser() authentication check that the fix should have introduced. I had to apply the patch manually on all affected sites.
My questions:
- Is this a known issue with the 6.6.2 update package — i.e., did the update not correctly overwrite IconsTrait.php during installation via Joomla's Extension Manager?
- Will the next release include a corrected update package that properly replaces this file?
- Is there an official way to verify that the patch was correctly applied after updating?
I have applied the following temporary fix manually on all affected sites, adding at the beginning of the uploadIcons() function:
$user = Factory::getUser();
if ($user->guest || !$user->authorise('core.manage', 'com_sppagebuilder')) {
$this->sendResponse(['status' => false, 'message' => 'Unauthorized'], 403);
return;
}
This mirrors what the official fix should have done. However, this manual patch will be overwritten by future updates, so I am concerned the issue will reappear.
Please advise on the correct course of action.
Thank you for your attention to this matter.
Best regards,
Francesco