iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
iCagenda — iCagenda
- Added to KEV catalog
- 10 July 2026
- Federal remediation due date
- 13 July 2026
- Weakness classification (CWE)
- CWE-434
AI Breakdown
What it is
This vulnerability, CVE-2026-48939, affects iCagenda, an extension for Joomla, allowing an attacker to upload any type of file, including dangerous ones, through its file attachment feature. This enables them to execute malicious PHP code on the affected system. Essentially, an attacker can trick the system into running their own harmful code.
Why it matters
This is a critical vulnerability with a CVSS score of 9.8, meaning it poses a significant risk if exploited, potentially allowing attackers to take full control of systems by running their own code. While its use in ransomware campaigns is currently unknown, its severity demands immediate attention. Federal agencies have a due date of 2026-07-13 for addressing this vulnerability.
Recommended action
You must apply all available mitigations and patches from the vendor immediately, making sure to follow CISA's BOD 26-04 guidance and Forensics Triage Requirements. If mitigations are unavailable, or for cloud services, discontinue use of the product. It is crucial to evaluate each asset's internet exposure and ensure adherence to these patching guidelines.
AI-generated from CISA and NVD data — treat as a starting point, not a substitute for your own risk assessment.
CISA Description
iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Notes
https://www.icagenda.com/#download ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-48939
NVD Technical Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Is this vulnerability present in your environment?
CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.
Explore VAPT Services