CVE-2026-48939
Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
In plain language
AI Act nowIf you use the iCagenda extension for Joomla and it’s older than 4.0.8 (or 3.9.15), attackers can upload and run their own PHP code without needing a login—this is a serious, real-world risk you should act on now.
CVE-2026-48939 is an unauthenticated remote code execution flaw in the iCagenda extension for Joomla, caused by arbitrary file upload via the extension’s file attachment feature, enabling upload and execution of malicious PHP.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-48939 and every CVE in our database. Create a free account — no credit card required.
Create Free Account