{
  "variant_id": "d6204c42-6250-4cd8-b892-27f89ae1d584-vc1",
  "created_at": "2026-07-07T22:45:00Z",
  "variant_summary": "No bypass or distinct RCE variant found for CVE-2026-48908. The 6.6.2 auth/CSRF guard on the site SppagebuilderControllerAsset blocks all tested alternate entry points (missing controller prefix, direct unpack, admin editor.icons, and the read-only loadCustomIcons method).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "com_sppagebuilder",
  "submitted_target": {
    "target_kind": "package_version",
    "version": "6.6.1",
    "ref": "release/10365",
    "display": "SP Page Builder 6.6.1 for Joomla"
  },
  "variant_target": {
    "target_kind": "package_version",
    "version": "6.6.2",
    "ref": "release/10367",
    "display": "SP Page Builder 6.6.2 for Joomla (vendor fixed release)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon",
  "attacker_controlled_input": "multipart ZIP archive (custom_icon) containing .htaccess + uppercase .PHP web shell",
  "trigger_path": "site/controllers/asset.php::uploadCustomIcon -> unpack -> Folder::copy to /media/com_sppagebuilder/assets/iconfont/",
  "observed_impact_class": "none",
  "exploitability_confidence": "low",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "fix_complete",
  "blocking_mitigation": "6.6.2 adds SppagebuilderControllerAsset::__construct() requiring core.admin/core.manage authorization, a logged-in user, and Session::checkToken(); removes non-upload custom-icon methods from the site controller; and makes unpack() private.",
  "file_path": "site/controllers/asset.php",
  "line_start": 34,
  "line_end": 58,
  "secondary_anchors": [
    {
      "file_path": "site/controllers/asset.php",
      "line_start": 67,
      "line_end": 280
    },
    {
      "file_path": "admin/editor/traits/IconsTrait.php",
      "line_start": 81,
      "line_end": 300
    },
    {
      "file_path": "admin/controllers/editor.php",
      "line_start": 126,
      "line_end": 150
    }
  ],
  "review_scope_paths": [
    "site/controllers/asset.php",
    "site/controllers/media.php",
    "site/controllers/ai_content.php",
    "site/controllers/page.php",
    "site/controller.php",
    "admin/editor/traits/IconsTrait.php",
    "admin/controllers/editor.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "logs/variant_fixed_test.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
