CVE-2026-48939 PUBLISHED

Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15

Assigner: Joomla
Reserved: 26.05.2026 Published: 20.06.2026 Updated: 20.06.2026

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
CVSS Score: 10

Product Status

Vendor icagenda.com
Product iCagenda extension for Joomla
Versions Default: unaffected
  • Version 1.0.0-3.9.14 is affected
  • Version 4.0.0-4.0.7 is affected

Credits

  • Phil Taylor finder

References

Problem Types

  • CWE-284 Improper Access Control CWE

Impacts

  • CAPEC-242: Code Injection