HTProtect.org
Independent information site on Joomla security vulnerabilities
DEEN
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

SP Page Builder – critical RCE zero-day, actively exploited

Critical Actively exploitedCVE: Not stated in the source article
Act now
Update SP Page Builder to 6.6.2 immediately – the zero-day is being actively exploited.
Download the secure version Go to the update steps

Secure version: SP Page Builder 6.6.2 (emergency update) · via JoomShaper (account required)

At a glance

Affected extension
SP Page Builder – page builder, component com_sppagebuilder
Vendor
JoomShaper
Type of flaw
Unauthenticated file upload (the asset.uploadCustomIcon function checked neither login nor file type) → Remote Code Execution (RCE)
Affected versions
Entire 6.x series up to and including 6.6.1
Secure version
SP Page Builder 6.6.2 (emergency update)   Download
Severity
Critical · actively exploited
CVE
Not stated in the source article
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
As of: 16 June 2026

What is this about?

SP Page Builder by JoomShaper is one of the most widespread page builders for Joomla. The asset.uploadCustomIcon function checked neither a login nor the file type. This allowed malware to be uploaded and executed without a login (Remote Code Execution).

Affected is the entire 6.x series up to and including 6.6.1. The emergency update 6.6.2 closes the hole. It is classified as a critical zero-day and is already being actively exploited.

Typical traces of an attack: hidden super-user accounts (e.g. with email addresses ending in @secure.local) and several PHP backdoors. The update only closes the front door – existing access remains until it is removed. Merely disabling the extension does not help.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the version

    Open ExtensionsManageManage and filter for "SP Page Builder".

  3. Assess the version

    If the version is 6.6.1 or below, the site is vulnerable. Secure is 6.6.2.

  4. Check for signs of intrusion

    Look for super-users with the address @secure.local and for foreign .php files (among others under images/…/fonts/ and users.php in /media/).

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update SP Page Builder

    Select the entry and update to 6.6.2.

  3. Verify the version

    Confirm that 6.6.2 is now installed.

Manual installation (alternative)
Alternatively, download the package from joomshaper.com and install it via ExtensionsManageInstall. Important: do not restore old files.
Download the secure version

Official source: via JoomShaper (account required). Make sure you have at least SP Page Builder 6.6.2 (emergency update).

Has the site already been attacked?

Actively exploited – an update alone is not enough
The flaw leaves behind hidden super-user accounts and several PHP backdoors. Remove these specifically, change all passwords and harden the upload folders (e.g. via .htaccess that blocks PHP execution there). Merely disabling the extension does not help.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Back to all vulnerabilities
Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now