iCagenda unauthenticated file-upload RCE via file attachments
The iCagenda Joomla extension allows unauthenticated arbitrary file upload through the event file-attachment feature, resulting in PHP code upload and execution. Fixed in 3.9.15 and 4.0.8. CVSS 9.8. Added to CISA KEV on 2026-07-10.
- Vendor
- iCagenda
- Product
- iCagenda (Joomla extension)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-48939 is an arbitrary-file-upload flaw in iCagenda, a widely deployed Joomla event-calendar extension. Per NVD, the extension’s file-attachment feature accepts arbitrary uploads, permitting a PHP file to be written and subsequently executed as the Joomla process — remote code execution, unauthenticated. CWE-434.
Advisory context
CISA added CVE-2026-48939 to the Known Exploited Vulnerabilities catalog on 2026-07-10, in the same batch as CVE-2026-56291 in Balbooa Forms — a second Joomla-extension file-upload RCE. Federal due date on both is 2026-07-13.
The vendor shipped fixes in iCagenda 3.9.15 and 4.0.8. Discovery and PoC came from Poloss; a technical writeup is at mySites.guru. The NVD record was published 2026-06-20 — the KEV addition and BOD 26-04 deadline mean the exploitation signal caught up to the disclosure roughly three weeks later.
What to do
Verify whether iCagenda is installed via the Joomla admin’s Extensions Manager or a SELECT * FROM #__extensions WHERE element='com_icagenda' query. If installed, upgrade to 3.9.15 (3.x line) or 4.0.8 (4.x line). If the site has been publicly reachable with a vulnerable install, treat the same-day audit of images/, template upload directories, and any writable path for .php or .phtml artifacts as mandatory — a compromised Joomla install is the sort of thing that surfaces as a mail-spam relay by the following morning.
Priority guidance and the broader Joomla-extension audit angle are in the article writeup. Canonical NVD record: CVE-2026-48939.