Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Published: 2026-06-20
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iCagenda extension for Joomla contains a flaw that allows an attacker to upload arbitrary files via the file attachment feature, ultimately leading to PHP code upload and execution. This is a classic privilege escalation leading to remote code execution, described by CWE-284, which can compromise the entire web application and underlying server.

Affected Systems

The affected product is the iCagenda extension for Joomla, provided by icagenda.com. Versions older than Joomla 4.0.8 or 3.9.15 are vulnerable. No further version details are supplied by the CNA.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity. EPSS data is unavailable, so the exact exploitation likelihood is unknown, but the vulnerability is known to be fully exploitable via the web interface's file attachment upload. The attack likely requires an authenticated session with permission to upload attachments, but the vulnerability description suggests that the impact is significant if a malicious file can be hosted in a location executed by the web server. The vulnerability is not listed in CISA KEV, but the potential for catastrophic compromise warrants immediate attention.

Generated by OpenCVE AI on June 20, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iCagenda extension to version 4.0.8 or later (or 3.9.15 or later) as released by the vendor.
  • Disable or remove the file attachment feature if possible while awaiting a patch.
  • Move the upload directory outside the web server's document root or configure the server to disallow execution of uploaded files, ensuring that only safe file types can be stored.

Generated by OpenCVE AI on June 20, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.icagenda.com/ cve-icon
History

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Title Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-20T11:56:50.752Z

Reserved: 2026-05-26T16:47:13.549Z

Link: CVE-2026-48939

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T13:30:06Z

Weaknesses