What is iCagenda?
iCagenda is an event-calendar and event-management extension for the Joomla content management system, letting site owners publish events and allowing site visitors to register or submit content — including file attachments — through frontend forms. Because the extension is designed to accept input from unauthenticated or lightly-authenticated site visitors by design, any gap between its intended access restrictions and what its code actually enforces is immediately exploitable at scale.
Overview
iCagenda contains an unrestricted file upload vulnerability in its frontend event-submission attachment feature, caused by two stacked failures. First, the "Registered only" access-control setting was enforced only in the view layer — the code that decides whether to render the submission form — but never in the controller that actually processes a submitted request, so an unauthenticated attacker could POST directly to the controller and bypass the restriction entirely. Second, the upload handler performed no file-extension allowlist or content-type verification, writing files verbatim (with their original extension) into images/icagenda/frontend/attachments/, a directory that is PHP-executable on Joomla 6. Combined, these two gaps let any anonymous visitor upload and execute arbitrary PHP code.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| iCagenda (legacy line) | 3.2.1 – 3.9.14 | 3.9.15 |
| iCagenda (current line) | 4.0.0 – 4.0.7 | 4.0.8 |
The fix moves access enforcement from the view layer into the controller and routes uploaded files through Joomla's built-in MediaHelper extension allowlist.
Technical Details
- Root cause: Access control enforced only in the presentation layer rather than the request-handling layer, combined with missing file-type validation on upload (CWE-434: Unrestricted Upload of File with Dangerous Type).
- Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical). - Attack characteristics: A single unauthenticated POST request directly to the attachment-submission controller bypasses the view-layer "Registered only" check and uploads a PHP payload with its original extension preserved; the file is then executed via a direct request to its path.
- Impact: Full remote code execution in the context of the web server process.
Discovery
mySites.guru researchers were alerted by a client who forwarded an access log on a Sunday morning showing active exploitation, identifiable by the distinctive user agent icagenda-batch/1.0. The team confirmed the vulnerability via code review, reproduced it on a clean Joomla 6 install, and privately disclosed it to the vendor the same day — June 15, 2026.
Exploitation Context
This was exploited as a true zero-day: automated attacks began around 8:00 AM UTC on June 15, 2026, just hours before the vendor's fix shipped. The Hacker News grouped this CVE together with CVE-2026-56291 (Balbooa Forms) as Joomla extension flaws "reportedly exploited as zero-days." It is the second of four closely related Joomla extension file-upload CVEs in this KEV batch discovered by mySites.guru via client-forwarded access logs (alongside CVE-2026-48908 and CVE-2026-56290/CVE-2026-56291) — all sharing the same underlying anti-pattern of missing auth or file-type checks on upload handlers. A public proof-of-concept is available on GitHub (shinthink/CVE-2026-48939). No specific threat-actor name or exposure/Shodan count has been published.
Remediation
- Update iCagenda to 4.0.8 (current line) or 3.9.15 (legacy line) immediately.
- Audit the
images/icagenda/frontend/attachments/directory for unexpected PHP files that may have been planted before patching. - Review web server access logs for the
icagenda-batch/1.0user agent or other unusual POST activity to the attachment-submission endpoint, as an indicator of prior exploitation attempts. - Restrict direct PHP execution in upload directories at the web server level as defense-in-depth.
- Follow CISA BOD 26-04 guidance given the July 13, 2026 remediation deadline and confirmed rapid zero-day exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-48939 |
| Vendor / Product | iCagenda — iCagenda |
| NVD Published | 2026-06-20 |
| NVD Last Modified | 2026-07-11 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2026-07-10 |
| CISA KEV Deadline | 2026-07-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-15 | mySites.guru observes active zero-day exploitation and privately discloses to vendor same day |
| 2026-06-15 | iCagenda 4.0.8 released fixing the flaw (3.9.15 released the following day for the legacy line) |
| 2026-07-10 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-48939 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| iCagenda — Official Download Page | Vendor |
| mySites.guru — iCagenda zero-day file upload RCE | Security Research |
| The Hacker News — iCagenda and Balbooa Forms Joomla flaws exploited as zero-days | News |
| BleepingComputer — CISA warns of actively exploited RCE flaws in Joomla extensions | News |