Security Issue Still Present In SP Page Builder 6.6.2 – CVE-2026-48908 / IconsTrait.php Not Patched - Question | JoomShaper

Security Issue Still Present In SP Page Builder 6.6.2 – CVE-2026-48908 / IconsTrait.php Not Patched

F

Francesco

SP Page Builder 1 week ago

Hello JoomShaper Support Team,

I am writing to report a security issue I discovered on multiple Joomla websites I manage, all running SP Page Builder version 6.6.2.

Despite updating to version 6.6.2 — which is supposed to include the fix for CVE-2026-48908 — I found that the file:

administrator/components/com_sppagebuilder/editor/traits/IconsTrait.php

...was still missing the authentication check in the uploadIcons() function. In other words, the function was still accessible without any login, exactly as described in the CVE.

What I observed in the access logs:

An automated bot was actively exploiting the asset.uploadCustomIcon endpoint with the following pattern:

POST /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon HTTP/1.1 → 200 GET /media/com_sppagebuilder/assets/iconfont/ico[random]/fonts/[random].PHP → 403

The bot (user-agent: "sppb-rce-poc") was uploading ZIP archives containing PHP webshells into publicly accessible directories under /media/com_sppagebuilder/assets/iconfont/. The webshells were structured to execute OS commands if reached via HTTP.

Fortunately, execution was blocked by an .htaccess rule I had in place. However, the file upload itself was still succeeding (HTTP 200), meaning the vulnerable endpoint was fully reachable despite running version 6.6.2.

After inspecting the IconsTrait.php file directly on the server, I confirmed it did not contain the Factory::getUser() authentication check that the fix should have introduced. I had to apply the patch manually on all affected sites.

My questions:

  1. Is this a known issue with the 6.6.2 update package — i.e., did the update not correctly overwrite IconsTrait.php during installation via Joomla's Extension Manager?
  2. Will the next release include a corrected update package that properly replaces this file?
  3. Is there an official way to verify that the patch was correctly applied after updating?

I have applied the following temporary fix manually on all affected sites, adding at the beginning of the uploadIcons() function:

$user = Factory::getUser(); if ($user->guest || !$user->authorise('core.manage', 'com_sppagebuilder')) { $this->sendResponse(['status' => false, 'message' => 'Unauthorized'], 403); return; }

This mirrors what the official fix should have done. However, this manual patch will be overwritten by future updates, so I am concerned the issue will reappear.

Please advise on the correct course of action.

Thank you for your attention to this matter.

Best regards, Francesco

2
12 Answers
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 1 week ago #226961

Ciao Francesco,

Per motivi di sicurezza, ti preghiamo di spostare tutto il contenuto del tuo messaggio all'interno di “Contenuto nascosto” (Hidden content) — provvederemo a verificarlo al più presto.

For security reasons, please move all your message inside "Hidden content" area - we will check it asap.

yes, it will be corrected in next update (Monday I guess).

0
Rashida Rahman
Rashida Rahman
Accepted Answer
Support Agent 1 week ago #226951

Hi there!

Thanks for reaching out and sorry for your experience.

Kindly check the following post on this topic:

https://www.joomshaper.com/forum/question/45299

Best regards,

0
T
Torsten.S
Accepted Answer
1 week ago #226964

No offence guys, but i would say it is time to move on.

The SP Pagebuilder code is too big, bloated and needs a serious security review.

As User you dont save time if u use it and get more problems then it solves.

That's my review after this desaster with iconfont, because it just is.

1
SS
Seamoose IT Solutions
Accepted Answer
1 week ago #227267

Fully agree on this Torsten. A through security screening and fixing is required to keep the PB product an interestion option for webconstruction.

0
F
Francesco
Accepted Answer
1 week ago #226965

Hello,

I'm writing to report several security vulnerabilities identified in SP Page Builder Pro v6.6.2 through a static analysis of the component's PHP source code. I'd appreciate your confirmation and a timeline for the fix.

Since anyone can do the same as I did with Clause, it's important for you to be aware of some critical issues.

Unfortunately, the use of AI will inevitably lead to the discovery of more serious programming errors.

I've already had experience with JCE in recent days, and now with your component, for which I've been paying a subscription for years.

I understand the objective difficulty, but we need to take action, otherwise CMSs as we've seen them until now will be abandoned in the future.

1
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 1 week ago #226973

@Francesco , About 1st post, please "move/hide" it today.

As I got answer it was fixed in next update planned for tomorrow "The editor controller already enforces auth, authorization, and session validation before this upload flow runs, so the endpoint is not meant to be public."


About 2nd one, big thanks. I shared that too.

0
M
Mario
Accepted Answer
5 days ago #227581

@Paul Frankowski is SP Page Builder 6.6.2 secure as far, or do we have to make manual security changes or modifications?

Whan will the new version be released (you wrote before 5 days) I am really concerned!

0
F
Francesco
Accepted Answer
1 week ago #226981

I've tried several times to move the content to hidden, but it doesn't work.

Francesco

1
F
Francesco
Accepted Answer
5 days ago #227579

Per Paolo Frankowski

0
M
Mario
Accepted Answer
5 days ago #227580

as Francesco write above: does SP Page Builder 6.6.2 still have security issues? How can we fix this manually?

0
AL
Antonio Lima
Accepted Answer
5 days ago #227597

It is unsecure. You need to remove all folders related do sp_pagebuilder even if you update to the fixed version, because the updated 6.6.2 does not remove them.

I had to clean up 27 websites using Joomshaper products.

Between Helix3 and PageBuilder, this has ruined me a lot of work. Took me a large ammount of time and dropped my trust with these products below ZERO.

In the process I was always suspicious of JCE vulnerabilty. Yes there was too, but it is fixed (for good) with 2 last updates.

I wasn't fully satisfied with some things around EasyStore and now this?

Yes I am a paying customer of Joomshaper products. What I would require above all was to not be open to hackers due to a paid product. Can happen? Yes, but this has been pointed out for DAYS and?

No, this is wrong and dangerous!

0
F
Francesco
Accepted Answer
4 days ago #227634

SUBJECT: Verify Security Vulnerability Report - Unauthenticated File Write in Helix3 and HelixUltimate

0