PT-2026-51137 · Joomla · Icagenda
Phil Taylor
·
Published
2026-06-20
·
Updated
2026-07-14
·
CVE-2026-48939
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red |
Name of the Vulnerable Software and Affected Versions
iCagenda versions prior to 4.0.8
iCagenda versions prior to 3.9.15
Description
A flaw in the iCagenda extension for Joomla allows unauthenticated users to upload arbitrary files through the attachment feature of the public event submission form. Due to insufficient restrictions on file types, an attacker can upload a PHP web shell to achieve remote code execution on the server. This issue has been reported as actively exploited in the wild as a zero-day, potentially allowing attackers to steal data, deface pages, or plant backdoors.
Recommendations
Upgrade to iCagenda version 4.0.8.
Upgrade to iCagenda version 3.9.15.
Exploit
Fix
RCE
Unrestricted File Upload
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Icagenda