Overview
CVE-2026-48939 is a critical unrestricted file upload vulnerability in iCagenda, a popular event calendar plugin for the Joomla CMS. The flaw resides in the plugin's file attachment feature, which fails to properly validate or restrict the types of files that can be uploaded. An attacker who can submit an event form — potentially without authentication, depending on site configuration — can upload a PHP webshell and achieve remote code execution on the underlying server.
The vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on July 10, 2026, confirming active exploitation in the wild.
Technical Details
The vulnerability is rooted in the file attachment functionality exposed through iCagenda's event submission form. The plugin does not enforce an allowlist of safe file extensions nor validate the MIME type server-side before storing the uploaded file in a web-accessible directory. As a result:
- An attacker submits an event form with a malicious
.phpfile as the attachment. - The server stores the file without stripping or blocking the dangerous extension.
- The attacker requests the uploaded file via its URL, triggering PHP execution on the web server.
- Full server-side code execution is achieved under the web server's process account.
Depending on Joomla's configuration, the attachment form may be accessible without any authentication, making this a zero-click, unauthenticated RCE in default deployments.
Affected Versions
All versions of iCagenda that include the file attachment feature are considered affected until the vendor ships a patched release. Sites running Joomla with any version of iCagenda that allows front-end file uploads should treat this as critically urgent.
Impact
| Factor | Assessment |
|---|---|
| Attack Vector | Network |
| Authentication Required | None (in default configs) |
| Impact (Confidentiality) | High |
| Impact (Integrity) | High |
| Impact (Availability) | High |
Successful exploitation gives an attacker a persistent foothold on the web server, enabling data exfiltration, lateral movement within the hosting environment, defacement, or use of the server as a pivot point for further attacks.
Remediation
- Update immediately: Install the latest version of iCagenda from the Joomla Extension Directory as soon as a patched release is available.
- Disable file attachments: If the file attachment feature is not required, disable it through the iCagenda plugin settings to eliminate the attack surface.
- Apply upload restrictions at the server level: Configure the web server (Apache/Nginx) to deny execution of PHP files in upload directories regardless of extension.
- Audit uploaded files: Review
components/com_icagenda/assets/uploads/(or equivalent) for any.php,.phtml, or.pharfiles that should not be present. - Web Application Firewall: Deploy or configure a WAF rule to block requests that upload files with executable extensions to the iCagenda component path.
CISA Binding Operational Directive
Federal civilian executive branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by the CISA-specified deadline. All organizations — public and private — are strongly encouraged to treat KEV entries as high-priority and apply mitigations without delay.