Skip to main content

iCagenda Joomla Extension CVE-2026-48939

| EUVD-2026-38109 CRITICAL
Improper Access Control (CWE-284)
2026-06-20 Joomla GHSA-4rh3-rmh3-hv6h
Authentication Bypass PHP Icagenda Extension For Joomla
10.0
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
vuln.today AI
9.8 CRITICAL

Description and Authentication Bypass tag indicate the upload endpoint is reachable remotely without credentials or user interaction, and PHP execution yields full confidentiality, integrity, and availability impact on the webserver.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 07:52 vuln.today
CVE Published
Jun 20, 2026 - 11:56 cve.org
CRITICAL 10.0

DescriptionCVE.org

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

AnalysisAI

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Joomla site running iCagenda
Delivery
Locate public attachment upload endpoint
Exploit
Submit PHP webshell as attachment
Install
Bypass file-type access control
C2
Request uploaded shell URL
Execute
Webserver executes PHP payload
Impact
Achieve RCE and pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target Joomla site has the iCagenda extension installed at a vulnerable version (1.0.0-3.9.14 or 4.0.0-4.0.7) and exposes the file attachment feature of that component to the network - no Joomla account, user interaction, or non-default configuration is needed per CVSS AV:N/AC:L/AT:N/PR:N/UI:N and the 'Authentication Bypass' tag. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Every signal in the input aligns on critical priority: CVSS 4.0 base 10.0 with AV:N/AC:L/AT:N/PR:N/UI:N and high impact across both vulnerable and subsequent systems (VC/VI/VA/SC/SI/SA all High), the E:A (Attacked) threat metric asserting observed exploitation activity, and a CWE-284 root cause that is highly automatable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker browses to a Joomla site that uses iCagenda, opens an event submission or attachment form exposed by the extension, and submits a malicious file named e.g. shell.php containing a PHP webshell. …
Remediation No vendor-released patch identified at time of analysis - neither the iCagenda site (https://www.icagenda.com/) nor the references (https://nvd.nist.gov/vuln/detail/CVE-2026-48939, https://vuldb.com/vuln/372536) list a fixed version, so administrators should monitor the vendor page for a release beyond 4.0.7 and update as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct inventory scan of all Joomla deployments for iCagenda 1.0.0-3.9.14 or 4.0.0-4.0.7; immediately disable the extension or block attachment upload endpoints at firewall/WAF level; review access logs for indicators of exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
CVE-2025-69122 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote atta

Share

CVE-2026-48939 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy