Skip to main content
All vulnerabilities
CVE-2026-48939 CVSS 9.8

iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability

iCagendaiCagenda

Added to KEV catalog
10 July 2026
Federal remediation due date
13 July 2026
Weakness classification (CWE)
CWE-434

AI Breakdown

What it is

This vulnerability, CVE-2026-48939, affects iCagenda, an extension for Joomla, allowing an attacker to upload any type of file, including dangerous ones, through its file attachment feature. This enables them to execute malicious PHP code on the affected system. Essentially, an attacker can trick the system into running their own harmful code.

Why it matters

This is a critical vulnerability with a CVSS score of 9.8, meaning it poses a significant risk if exploited, potentially allowing attackers to take full control of systems by running their own code. While its use in ransomware campaigns is currently unknown, its severity demands immediate attention. Federal agencies have a due date of 2026-07-13 for addressing this vulnerability.

Recommended action

You must apply all available mitigations and patches from the vendor immediately, making sure to follow CISA's BOD 26-04 guidance and Forensics Triage Requirements. If mitigations are unavailable, or for cloud services, discontinue use of the product. It is crucial to evaluate each asset's internet exposure and ensure adherence to these patching guidelines.

AI-generated from CISA and NVD data — treat as a starting point, not a substitute for your own risk assessment.

CISA Description

iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

Required action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Notes

https://www.icagenda.com/#download ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-48939

NVD Technical Description

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

Confirm Your Exposure

Is this vulnerability present in your environment?

CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.

Explore VAPT Services