arbitrary file upload in iCagenda <3.9.14/4.0.7
CVE-2026-48939 Published on June 20, 2026

Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

NVD

Known Exploited Vulnerability

This iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

The following remediation steps are recommended / required by July 13, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2026-48939 has been classified to as an Unrestricted File Upload vulnerability or weakness.


Affected Versions

icagenda.com iCagenda extension for Joomla Version 3.2.1-4.0.7 is affected by CVE-2026-48939