CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-48939

iCagenda — Frontend Attachment Upload Zero-Day Exploited Hours Before Patch Release

What is iCagenda?

iCagenda is an event-calendar and event-management extension for the Joomla content management system, letting site owners publish events and allowing site visitors to register or submit content — including file attachments — through frontend forms. Because the extension is designed to accept input from unauthenticated or lightly-authenticated site visitors by design, any gap between its intended access restrictions and what its code actually enforces is immediately exploitable at scale.

Overview

iCagenda contains an unrestricted file upload vulnerability in its frontend event-submission attachment feature, caused by two stacked failures. First, the "Registered only" access-control setting was enforced only in the view layer — the code that decides whether to render the submission form — but never in the controller that actually processes a submitted request, so an unauthenticated attacker could POST directly to the controller and bypass the restriction entirely. Second, the upload handler performed no file-extension allowlist or content-type verification, writing files verbatim (with their original extension) into images/icagenda/frontend/attachments/, a directory that is PHP-executable on Joomla 6. Combined, these two gaps let any anonymous visitor upload and execute arbitrary PHP code.

Affected Versions

Product Vulnerable Versions Fixed Versions
iCagenda (legacy line) 3.2.1 – 3.9.14 3.9.15
iCagenda (current line) 4.0.0 – 4.0.7 4.0.8

The fix moves access enforcement from the view layer into the controller and routes uploaded files through Joomla's built-in MediaHelper extension allowlist.

Technical Details

  • Root cause: Access control enforced only in the presentation layer rather than the request-handling layer, combined with missing file-type validation on upload (CWE-434: Unrestricted Upload of File with Dangerous Type).
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical).
  • Attack characteristics: A single unauthenticated POST request directly to the attachment-submission controller bypasses the view-layer "Registered only" check and uploads a PHP payload with its original extension preserved; the file is then executed via a direct request to its path.
  • Impact: Full remote code execution in the context of the web server process.

Discovery

mySites.guru researchers were alerted by a client who forwarded an access log on a Sunday morning showing active exploitation, identifiable by the distinctive user agent icagenda-batch/1.0. The team confirmed the vulnerability via code review, reproduced it on a clean Joomla 6 install, and privately disclosed it to the vendor the same day — June 15, 2026.

Exploitation Context

This was exploited as a true zero-day: automated attacks began around 8:00 AM UTC on June 15, 2026, just hours before the vendor's fix shipped. The Hacker News grouped this CVE together with CVE-2026-56291 (Balbooa Forms) as Joomla extension flaws "reportedly exploited as zero-days." It is the second of four closely related Joomla extension file-upload CVEs in this KEV batch discovered by mySites.guru via client-forwarded access logs (alongside CVE-2026-48908 and CVE-2026-56290/CVE-2026-56291) — all sharing the same underlying anti-pattern of missing auth or file-type checks on upload handlers. A public proof-of-concept is available on GitHub (shinthink/CVE-2026-48939). No specific threat-actor name or exposure/Shodan count has been published.

Remediation

  1. Update iCagenda to 4.0.8 (current line) or 3.9.15 (legacy line) immediately.
  2. Audit the images/icagenda/frontend/attachments/ directory for unexpected PHP files that may have been planted before patching.
  3. Review web server access logs for the icagenda-batch/1.0 user agent or other unusual POST activity to the attachment-submission endpoint, as an indicator of prior exploitation attempts.
  4. Restrict direct PHP execution in upload directories at the web server level as defense-in-depth.
  5. Follow CISA BOD 26-04 guidance given the July 13, 2026 remediation deadline and confirmed rapid zero-day exploitation.

Key Details

PropertyValue
CVE ID CVE-2026-48939
Vendor / Product iCagenda — iCagenda
NVD Published2026-06-20
NVD Last Modified2026-07-11
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-434 find similar ↗
CISA KEV Added2026-07-10
CISA KEV Deadline2026-07-13
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-13. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-15mySites.guru observes active zero-day exploitation and privately discloses to vendor same day
2026-06-15iCagenda 4.0.8 released fixing the flaw (3.9.15 released the following day for the legacy line)
2026-07-10Added to CISA Known Exploited Vulnerabilities catalog
2026-07-13CISA BOD 22-01 remediation deadline