PT-2026-51137 · Joomla · Icagenda

Phil Taylor

·

Published

2026-06-20

·

Updated

2026-07-14

·

CVE-2026-48939

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Name of the Vulnerable Software and Affected Versions iCagenda versions prior to 4.0.8 iCagenda versions prior to 3.9.15
Description A flaw in the iCagenda extension for Joomla allows unauthenticated users to upload arbitrary files through the attachment feature of the public event submission form. Due to insufficient restrictions on file types, an attacker can upload a PHP web shell to achieve remote code execution on the server. This issue has been reported as actively exploited in the wild as a zero-day, potentially allowing attackers to steal data, deface pages, or plant backdoors.
Recommendations Upgrade to iCagenda version 4.0.8. Upgrade to iCagenda version 3.9.15.

Exploit

Fix

RCE

Unrestricted File Upload

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48939

Affected Products

Icagenda