CVE-2026-48939 CRITICAL

CVE-2026-48939: Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15

Vendor Icagenda.com
Product iCagenda extension for Joomla
Weakness CWE-434 · Unrestricted file upload
KEV Status Known Exploited
Published June 20, 2026
Last update July 10, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

What the vulnerability does

01Description

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

Explanation of Vulnerability in Simple Terms

02Summary

The iCagenda extension for Joomla contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files to the server over the network. An attacker can exploit this to upload malicious files, potentially gaining control of the site. No user interaction is required. Versions 3.2.1 through 4.0.7 are affected.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to your server without authentication, potentially executing malicious code.

Potential impact on your site

04Site Impact

Your Joomla site could be compromised; attackers may run code, steal data, or deface content.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

CISA mandated remediation

06CISA Required Action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Key dates

07Disclosure timeline

June 20, 2026 CVE published
July 10, 2026 Record updated

External resources

08References

Related vulnerabilities

09Related CVE