DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48939: CVE-2026-48939: Unauthenticated Remote Code Execution in Joomla iCagenda Extension

CVE-2026-48939: Unauthenticated Remote Code Execution in Joomla iCagenda Extension

Vulnerability ID: CVE-2026-48939
CVSS Score: 10.0
Published: 2026-06-20

CVE-2026-48939 is a critical vulnerability in the iCagenda events calendar extension for Joomla that allows unauthenticated remote attackers to execute arbitrary code via unrestricted file uploads. The flaw stems from a lack of server-side validation of file uploads and missing authorization checks at the controller level. Successful exploitation results in complete compromise of the affected web application host.

TL;DR

Unauthenticated arbitrary file upload in iCagenda allows remote code execution via direct POST requests to controller endpoints.


⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-434, CWE-284
  • Attack Vector: Network
  • CVSS Score: 10.0 (Critical)
  • Exploit Status: Active exploitation in the wild
  • CISA KEV Status: Listed on July 10, 2026

Affected Systems

  • Joomla instances running iCagenda 3.2.1 through 3.9.14
  • Joomla instances running iCagenda 4.0.0 through 4.0.7
  • iCagenda: >= 3.2.1, < 3.9.15 (Fixed in: 3.9.15)
  • iCagenda: >= 4.0.0, < 4.0.8 (Fixed in: 4.0.8)

Exploit Details

  • GitHub (shinthink): Exploit tool automating scanning, target detection, shell uploading, and cleanup.
  • GitHub (Polosss): Exploit repository demonstrating arbitrary file upload bypass.

Mitigation Strategies

  • Upgrade iCagenda extension to version 4.0.8 (for Joomla 4.x/5.x/6.x) or 3.9.15 (for legacy Joomla 3.x)
  • Configure web server rules to deny script execution inside the /images/ directory
  • Temporarily rename or delete the com_icagenda directories if patching is delayed

Remediation Steps:

  1. Navigate to Joomla administrator panel and check the version of the iCagenda component.
  2. Download the patched package (4.0.8 or 3.9.15) from the official iCagenda website.
  3. Install the update via the Joomla Extension Manager to replace vulnerable files.
  4. Verify the directory /images/icagenda/frontend/attachments/ for any suspicious PHP files.
  5. Implement server-level execution blockings using Apache .htaccess or Nginx configuration blocks.

References


Read the full report for CVE-2026-48939 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)