arbitrary file upload in iCagenda <3.9.14/4.0.7
CVE-2026-48939 Published on June 20, 2026
Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Known Exploited Vulnerability
This iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
The following remediation steps are recommended / required by July 13, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab
Weakness Type
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2026-48939 has been classified to as an Unrestricted File Upload vulnerability or weakness.