CVE-2026-48939
Published 2026-06-20 · Updated 2026-07-10 · Source security@joomla.org
Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA Known-Exploited Vulnerability
Product: iCagenda — iCagenda
Name: iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
Date added: 2026-07-10 · Due: 2026-07-13
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
References
- https://www.icagenda.com/
- https://github.com/Polosss/By-Poloss..-..CVE-2026-48939
- https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48939
- https://www.icagenda.com/docs/changelog/icagenda-3-9-15
- https://www.icagenda.com/docs/changelog/icagenda-4-0-8

