On July 9, 2026, JoomShaper publicly announced an uncomfortable decision: for the Joomla 3 lines of SP Page Builder, Helix3, and Helix Ultimate, there will be no more security patches - literally, regardless of severity. If you are still running your site with these extensions on Joomla 3, that raises the question: how can I secure my Joomla 3 site now without having to migrate immediately? The good news first: you are not left unprotected. The three currently known JoomShaper Joomla 3 security vulnerabilities can be blocked at the door - and that is exactly what our free component HTProtect does, on Joomla 3 just as on 4, 5, and 6.

When it comes to security updates, we usually preach the same first step: update. This time the situation is different. For Joomla 3, the fix simply no longer exists - and it never will again. This article explains what happened, how dangerous the three vulnerabilities really are, why Joomla 3 sites are now in the spotlight, and how you can still secure your site effectively.

What happened?

JoomShaper is one of the largest providers in the Joomla ecosystem - SP Page Builder, the Helix framework, and the associated templates run on hundreds of thousands of sites. On July 9, 2026, the company announced that it would discontinue Joomla 3 support for all products. The key line: the Joomla 3 versions will receive no more security updates, no matter how critical a vulnerability is.

The reasoning is understandable: JoomShaper can maintain its own code, but not the Joomla core underneath it - and for Joomla 3, that core has long reached end of life. Security updates are therefore only being released for versions for Joomla 4 and above: SP Page Builder 6.6.2, Helix3 3.1.1, and Helix Ultimate 2.2.7 - all three require Joomla 4+ and cannot be installed on Joomla 3 at all.

The timing is the real explosive factor. The announcement comes at exactly the moment when JoomShaper products have generated several serious vulnerabilities - some of them actively exploited. In short: the door is being shut while someone is already shaking the handle outside.

The three vulnerabilities in detail

Three specific vulnerabilities are in play. All three share one thing that makes them so dangerous: they are exploitable without login. An attacker does not need an account or a password - access via the frontend is enough.

SP Page Builder: unauthenticated upload leading to remote code execution

The most severe flaw is in the Asset Controller of SP Page Builder (task=asset.uploadCustomIcon). It allows a file to be uploaded and executed without any authentication - the classic case of unauthenticated upload followed by remote code execution. It is tracked as CVE-2026-48908 with the maximum CVSS score of 10.0. It has already been exploited in the wild to quietly create hidden Joomla super admins. For Joomla 4+, it is fixed in 6.6.2 - not for Joomla 3.

Helix3: unauthenticated writing and deleting of files

Helix3 includes a com_ajax handler (onAjaxHelix3) whose actions save, import, and remove did not perform any permission checks. An unauthenticated outsider could use it to write and delete files, in some cases via path traversal even outside the intended directory. This Helix3 vulnerability is tracked as CVE-2026-49049 with a CVSS of 7.5. JoomShaper fixed it at the end of June with Helix3 3.1.1 - again only for Joomla 4+.

Helix Ultimate: stored XSS all the way into the admin session

Helix Ultimate allowed writing to the menu settings without login via its AJAX handler (onAjaxHelixultimate). Because this content was not sanitized before output, malicious code could be stored - a stored XSS that is then executed in your visitors' browsers and, much worse, in your own admin session. This allows an attacker to act in your name, for example by quietly creating another super user. The fix is included in Helix Ultimate 2.2.7; there is still no CVE entry for this issue.

The following overview summarizes what it is about - and what HTProtect does about it:

Extension Vulnerability & CVE Severity What HTProtect does
SP Page Builder
(Joomla 3 line)
Unauthenticated upload leading to RCE via asset.uploadCustomIcon
CVE-2026-48908 🔗
Critical
CVSS 10.0
Dedicated WAF signature blocks anonymous access; generic guest-upload filter and PHP shield additionally catch executable uploads
Helix3
(< 3.1.1)
Unauthenticated writing/deleting of files via onAjaxHelix3 (including path traversal)
CVE-2026-49049
High
CVSS 7.5
Dedicated WAF signature blocks the anonymous com_ajax call before the handler loads
Helix Ultimate
(< 2.2.7)
Unauthenticated writing to menu settings, stored XSS via onAjaxHelixultimate
no CVE
High Dedicated WAF signature blocks anonymous menu write access at the door

Note: The WAF signatures apply exclusively to anonymous frontend access. Your logged-in, legitimate work in the backend remains unaffected.

Why Joomla 3 sites are especially affected right now

Joomla 3 is itself End of Life. The 3.10 branch already lost its regular support in 2023; the paid Extended Security Program (eLTS), which continued to provide patches for the core until February 2025, has also expired. The Joomla core will therefore no longer receive updates - and now the most widely used JoomShaper extensions on it will not either.

This creates a dangerous combination: known vulnerabilities, some of them actively exploited, on the one side, and no vendor patch on the other. As soon as the patched code for Joomla 4+ is made public, anyone can compare it with the old version and infer how the vulnerability works. From that point on, it is only a matter of time before automated scanners specifically look for exactly these outdated installations. For Joomla 3, that means the vulnerability remains open, permanently.

One more misconception up front, because in practice it often leads to a false sense of security: simply deactivating does not protect an extension. The files and AJAX endpoints remain on the server and can still be accessed directly.

This is how HTProtect protects Joomla 3 - the three layers

HTProtect is our free Joomla security component. It does not replace an update - but it covers exactly the vectors for which there is no longer an update on Joomla 3. And because its system plugin runs from Joomla 2.5 to 6, it works on Joomla 3 just as it does on 4, 5 and 6.

1. Block the attack vector (Web Application Firewall)

HTProtect includes dedicated, false-positive-free WAF signatures for all three vulnerabilities (Helix3, Helix Ultimate, SP Page Builder). They are enforced by the HTProtect system plugin, which intervenes before the vulnerable function even loads. Important: the signatures block only anonymous frontend access - your legitimate, logged-in work remains unaffected. By the way, these signatures already existed with us before the public discontinuation, since the end of June / beginning of July 2026.

In addition, there are two generic layers of protection that work independently of a specific vulnerability: a guest upload filter that intercepts executable uploads in any component, and the PHP shield that prevents the execution of .php files in upload and media folders via .htaccess. This defuses the entire class of follow-up attacks, even if a file does slip through once.

2. Warning

HTProtect detects vulnerable extensions and points them out to you in the overview - specifically, it warns for Helix3 below 3.1.1 and Helix Ultimate below 2.2.7 (and all older versions). This gives you an at-a-glance view of which of your sites are affected at all, without having to click through each installation individually.

3. Detect and clean up compromise

If it has already happened, HTProtect finds and cleans up the exact observed consequences: injected super admins, injected JavaScript or XSS in menus and SP Page Builder elements, defacement, as well as backdoors and malware. The cleanup runs with one click and is reversible, so you do not permanently delete anything by mistake.

What HTProtect is NOT - an honest assessment

So you know what you can rely on, the limits are clearly stated here:

  • HTProtect is not a source code patch. It is robust protection plus detection. The gate is closed - but the flaw remains in the extension's code. We do not repair the vulnerable function; we make sure it can no longer be reached from outside.
  • The protection plugin must remain active. By default, it is enabled, and HTProtect monitors itself - but a deactivated plugin does not protect you.
  • Joomla 3 remains End of Life. HTProtect gives you time and robustly covers the known attack vectors. The final solution is and remains the migration to Joomla 5 or 6. If you cannot migrate right away - and many cannot for good reasons - this protection is there exactly for that.

Your checklist - here's what to do now

  1. Inventory: Find every one of your Joomla 3 installations and check which ones use SP Page Builder, Helix3, or Helix Ultimate.
  2. Close the door: Install HTProtect and keep the WAF, guest upload filter, and PHP shield active. This blocks the three known vectors immediately.
  3. Check for traces: Review the user list for super users you did not create, and check menus, mega menus, and template settings for foreign markup or custom code. Run a malware scan across the entire webspace.
  4. If in doubt, clean up properly: Treat the site as compromised, preserve evidence, change all passwords as well as database and FTP/SSH access, and end all sessions. A protection plugin does not remove malicious code that has already been placed.
  5. Plan the migration: Put the affected sites on the roadmap toward Joomla 5 or 6. HTProtect buys you the time for that - no more, but also no less.

More details on the individual frameworks

We have published separate articles on each of the vulnerabilities: the Helix3 vulnerability, the Helix Ultimate vulnerability, and the SP Page Builder vulnerability. How HTProtect secures each framework is described on htprotect.org/helix3 and htprotect.org/helix-ultimate.

FAQ

Is my Joomla 3 site with SP Page Builder still secure?

Without additional protection: no, not permanently. For the Joomla 3 line, there have been no security patches since July 9, 2026, and at least one of the known vulnerabilities has already been actively exploited. However, with a WAF like the one in HTProtect, the known attack path can be reliably blocked until you can migrate.

Can I secure Joomla 3 without migrating?

Yes - as a transitional measure. HTProtect blocks the known vectors at the door, warns about vulnerable extensions, and detects an existing compromise. This provides effective protection, but it does not replace migration: Joomla 3 itself is End of Life and no longer receives core updates.

Does HTProtect block CVE-2026-48908?

Yes. HTProtect has a dedicated WAF signature for this SP Page Builder vulnerability that blocks anonymous access to the vulnerable upload before it can be executed. In addition, the generic guest upload filter and the PHP shield intercept executable uploads. The signature already existed before the public disclosure.

Is HTProtect a patch for the extension?

No. HTProtect does not patch the source code of SP Page Builder or Helix. It closes the attack entry point from the outside (defense) and detects a compromise (detection) - the flaw remains in the extension's code. That is why migrating to a maintained Joomla version remains the real goal.

Is it enough to disable the affected extension?

No. When disabled, the files and AJAX endpoints remain on the server and can still be called directly. Protection only comes from actively blocking access or completely removing the extension - the latter usually costs you functionality or layout.

How can I tell whether my site has already been hacked?

Typical signs are unknown super users in the user list, altered or foreign markup in menus and template settings, a defacement of the homepage, and new, unexplained files in the web space. HTProtect reports such changes and finds planted backdoors during the scan.

Do you run Joomla 3 with SP Page Builder or Helix? Install HTProtect for free and close the three attack entry points today. And if there is reason to believe your site has already been compromised, we will clean up the entire web space for you - not just the framework. See our immediate help for hacked Joomla sites for more information.

Conclusion

JoomShaper is pulling the plug on Joomla 3: no more security patches for SP Page Builder, Helix3 and Helix Ultimate - even though three serious, partly actively exploited vulnerabilities are currently in the room with CVE-2026-48908 (CVSS 10.0), CVE-2026-49049 (CVSS 7.5) and the Helix Ultimate XSS. Anyone who cannot migrate immediately is therefore not defenseless. The honest three-step approach is: block the attack vector, warn about vulnerable extensions, detect and clean up a compromise. That is exactly what HTProtect does - on Joomla 3 as well as 4 through 6. It gives you the time you need for the final and decisive step: the migration to Joomla 5 or 6.

Source: JoomShaper announcement on the end of Joomla 3 support from 9 July 2026, as well as the security notices and CVE entries for CVE-2026-48908 and CVE-2026-49049; prepared with reference to mySites.guru.

Never miss another security update!

Additional offers

Customers about us

„The conversion of our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and with impeccable results. Very good and friendly communication.“
– H. Bergmann

„Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars“
– Fernando V.

„I was unable to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out, everything was extremely affordable, fast, and good!“
– Klaus-Peter

„The site looks great – everything as before – and on PHP 7.2 – I am impressed - many heartfelt thanks!“
– Dr. Ingo Wuddel

„Since we run an online shop, it was very important to us that our site was quickly available again with full functionality for our customers. All work is carried out extremely quickly to our complete satisfaction.“ – Loewen Handels GmbH

„Very fast, reliable, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.“
– Heino B.

„The contact was exceptionally friendly, and some cosmetic additional work was taken care of on its own - as if it were completely natural. I am relieved and very grateful.“
– R. Mayer

„Great. In an absolute emergency, after 2 domains were blocked by Strato due to a hacker attack, both domains were initially temporarily back online the same day.“
– I. Radchenko

„Excellent service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏“
– Tien Sy Vuong

Website-Bereinigung.de Support Service Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm