Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Published: 2026-06-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The iCagenda extension for Joomla contains a flaw that allows an attacker to upload arbitrary files via the file attachment feature, ultimately leading to PHP code upload and execution. This vulnerability is classified as CWE-434.

Affected Systems

The affected product is the iCagenda extension for Joomla, provided by icagenda.com. Versions older than Joomla 4.0.8 or 3.9.15 are vulnerable. No further version details are supplied by the CNA.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity. EPSS score of <1% indicates a very low but non-zero exploitation probability. The vulnerability can be fully exploited via the web interface's file attachment upload. The vulnerability is not listed in CISA KEV, and because it enables PHP code execution, it poses a significant threat.

Generated by OpenCVE AI on July 10, 2026 at 12:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iCagenda extension to version 4.0.8 or later (or 3.9.15 or later) as released by the vendor.
  • Disable or remove the file attachment feature if possible while awaiting a patch.
  • Move the upload directory outside the root or configure the server to disallow execution of uploaded files, ensuring that only safe file types can be stored.

Generated by OpenCVE AI on July 10, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 10 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-07-10T00:00:00+00:00', 'dueDate': '2026-07-13T00:00:00+00:00'}


Sun, 05 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284 CWE-434

Thu, 02 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:30:00 +0000


Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Icagenda.com
Icagenda.com icagenda Extension For Joomla
Vendors & Products Icagenda.com
Icagenda.com icagenda Extension For Joomla

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Title Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red'}


Subscriptions

Icagenda.com Icagenda Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-07-10T19:58:23.794Z

Reserved: 2026-05-26T16:47:13.549Z

Link: CVE-2026-48939

cve-icon Vulnrichment

Updated: 2026-06-22T17:44:21.023Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T12:15:16Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type