CVE-2026-48939
published 2026-06-20CVE-2026-48939: A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.7th percentile
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icagenda.com | icagenda_extension_for_joomla | — | — |
| joomlic | icagenda | >= 3.2.1 < 3.9.15 | 3.9.15 |
| joomlic | icagenda | >= 4.0.0 < 4.0.8 | 4.0.8 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
ghsa_unreviewed·2026-06-20
CVE-2026-48939 [CRITICAL] CWE-284 A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
VulDB
iCagenda Extension up to 3.9.14/4.0.7 on Joomla access control (EUVD-2026-38109)
vuldb·2026-06-20·CVSS 10.0
CVE-2026-48939 [CRITICAL] iCagenda Extension up to 3.9.14/4.0.7 on Joomla access control (EUVD-2026-38109)
A vulnerability identified as critical has been detected in iCagenda Extension up to 3.9.14/4.0.7 on Joomla. This impacts an unknown function. This manipulation causes improper access controls.
This vulnerability is registered as CVE-2026-48939. Remote exploitation of the attack is possible. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-20
Published