CVE-2026-48939

Published Jun 20, 2026

Last updated a day ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48939 describes an unrestricted file upload vulnerability found within the iCagenda extension for Joomla. This flaw permits the upload of arbitrary files through the file attachment feature. The vulnerability ultimately enables the upload and execution of PHP code on the affected server. This issue has been added to CISA's Known Exploited Vulnerabilities Catalog, indicating that it is being actively exploited.

Description
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Source
security@joomla.org
NVD status
Analyzed
Products
icagenda

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
Exploit added on
Jul 10, 2026
Exploit action due
Jul 13, 2026
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Weaknesses

security@joomla.org
CWE-434
nvd@nist.gov
CWE-434

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

3

  1. 🚨 CRITICAL: CVE-2026-48939 in iCagenda allows unrestricted file upload leading to PHP code execution. CISA KEV-listed—actively exploited. Patch immediately. #CVE #PatchNow #ThreatIntel https://t.co/6e9e6g0nLG

    @DFIR_Lab

    12 Jul 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🟦 PCMedicalist Signal · Jul 11 • CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File… — CISA KEV Vulns • CVE-2026-48939 — iCagenda Unrestricted Upload of File with… — CISA KEV Vulns #VulnerabilityIntelligence SecOps · Blue Team · Autonomous Builds htt

    @PCMedicalist

    11 Jul 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. TRC analysis shows attackers are exploiting Joomla extension vulnerabilities (CVE-2026-48939, CVE-2026-56291) to upload malicious PHP files and execute remote code. Once compromised, they pivot laterally across internal networks. Runtime segmentation helps contain post-compromise

    @aviatrixtrc

    11 Jul 2026

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔒 #CyberSecurity CVE-2026-48939 & CVE-2026-56291: CISA KEV Alert on iCagenda and Balbooa Forms E… "On July 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two…" 🔗 https://t.co/jXXXyKlEKS #CyberSecurity #ThreatIntel #cve #zeroday #patc

    @SecurityAr58409

    11 Jul 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🟦 PCMedicalist Signal · Jul 11 • CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File… — CISA KEV Vulns • CVE-2026-48939 — iCagenda Unrestricted Upload of File with… — CISA KEV Vulns #VulnerabilityIntelligence SecOps · Blue Team · Autonomous Builds htt

    @PCMedicalist

    11 Jul 2026

    47 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログにiCagendaのCVE-2026-48939とBalbooa FormsのCVE-2026-56291を追加。対処期限は3日後の7/13。ランサムウェアによる悪用は不知。 https:

    @__kokumoto

    11 Jul 2026

    1192 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. 🛡️ @CISACyber added iCagenda vulnerability CVE-2026-48939 & Balbooa Forms vulnerability CVE-2026-56291 to our KEV Catalog. Visit https://t.co/Hr1Rpw9Skf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec

    @chris_uk2026

    11 Jul 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Two Joomla! extensions added to the KEVs. CVE-2026-48939: iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability and CVE-2026-56291: Balbooa Forms Unrestricted Upload of File with Dangerous Type

    @kaotickjay

    11 Jul 2026

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CISA 7月10日把两个 Joomla 生态漏洞加入 KEV 已知被利用漏洞目录,值得网站运维和安全团队留意。 这两个漏洞分别是 CVE-2026-48939(iCagenda)和 CVE-2026-56291(Balbooa Forms)。NVD/CVE 记录显示,它们都与不受限制的文件上

    @jojo_licg

    11 Jul 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🔒 #CyberSecurity CVE-2026-48939: Active Exploitation of iCagenda File Upload Vulnerability "On July 10, 2026, CISA added CVE-2026-48939 to the Known Exploited Vulnerabilities (KEV)…" 🔗 https://t.co/AcmO6BezYE #CyberSecurity #ThreatIntel #cve202648939 #critical #cisake

    @SecurityAr58409

    11 Jul 2026

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 CRITICAL: CVE-2026-48939 (CVSS 9.8) iCagenda extension for Joomla allows arbitrary file upload leading to PHP code execution. No authentication required. Patch immediately if using this extension. #CVE #Vulnerability #PatchNow https://t.co/IR5Xotw24I

    @DFIR_Lab

    5 Jul 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2026-48939 Arbitrary File Upload and PHP Code Execution in iCagenda Joomla E... https://t.co/ZoboriMlPE Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x

    @VulmonFeeds

    20 Jun 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations