Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-48939

iCagenda unauthenticated file-upload RCE via file attachments

The iCagenda Joomla extension allows unauthenticated arbitrary file upload through the event file-attachment feature, resulting in PHP code upload and execution. Fixed in 3.9.15 and 4.0.8. CVSS 9.8. Added to CISA KEV on 2026-07-10.

cat cve-2026-48939.json
Vendor
iCagenda
Product
iCagenda (Joomla extension)
CVSS
9.8
EPSS (exploit probability)
N/A
Status
kev
Published

CVE-2026-48939 is an arbitrary-file-upload flaw in iCagenda, a widely deployed Joomla event-calendar extension. Per NVD, the extension’s file-attachment feature accepts arbitrary uploads, permitting a PHP file to be written and subsequently executed as the Joomla process — remote code execution, unauthenticated. CWE-434.

Advisory context

CISA added CVE-2026-48939 to the Known Exploited Vulnerabilities catalog on 2026-07-10, in the same batch as CVE-2026-56291 in Balbooa Forms — a second Joomla-extension file-upload RCE. Federal due date on both is 2026-07-13.

The vendor shipped fixes in iCagenda 3.9.15 and 4.0.8. Discovery and PoC came from Poloss; a technical writeup is at mySites.guru. The NVD record was published 2026-06-20 — the KEV addition and BOD 26-04 deadline mean the exploitation signal caught up to the disclosure roughly three weeks later.

What to do

Verify whether iCagenda is installed via the Joomla admin’s Extensions Manager or a SELECT * FROM #__extensions WHERE element='com_icagenda' query. If installed, upgrade to 3.9.15 (3.x line) or 4.0.8 (4.x line). If the site has been publicly reachable with a vulnerable install, treat the same-day audit of images/, template upload directories, and any writable path for .php or .phtml artifacts as mandatory — a compromised Joomla install is the sort of thing that surfaces as a mail-spam relay by the following morning.

Priority guidance and the broader Joomla-extension audit angle are in the article writeup. Canonical NVD record: CVE-2026-48939.