2026-07-10 · view entry permalink →
CVE-2026-48939 — iCagenda for Joomla: unauthenticated file-upload-to-RCE, exploited as a zero-day, added to CISA KEV (CVSS 4.0 10.0)
iCagenda's frontend "Submit an Event" form processed uploaded attachments by keeping the visitor-supplied file extension and writing the file straight to images/icagenda/frontend/attachments/ under the web root, with no extension allow-list and no content-type check (mySites.guru, 2026-06-15). Crucially, the "who may submit an event" access check was applied only in the view that decides whether to draw the form, never in the controller that processed the submission — so an attacker harvested a form token from any public iCagenda page and POSTed directly to the processing endpoint, bypassing the "Registered users only" setting entirely with no account. On Joomla 6 the uploaded .php file is web-served and executes, giving unauthenticated remote code execution; on Joomla 2.5 through 5, core upload filtering blocks the shell, but the same authorization bypass still lets an anonymous visitor create unapproved events (mySites.guru, 2026-06-15). CISA's dated alert confirms this as one of exactly two KEV additions on 2026-07-10 (CISA, 2026-07-10).
This is the fourth Joomla third-party extension in roughly a month to ship the same unauthenticated-upload-to-RCE shape surfaced by the same researcher, after the SP Page Builder, Page Builder CK and Balbooa Forms cluster — a recurring third-party-extension exposure for the Joomla estates common across Swiss and European municipal and public-sector web infrastructure.
iCagenda did not maintain its own allow-list of permitted extensions on this path, did not block `.php`, and did not check that the file was actually the image type it claimed to be.
A flaw being actively used in the wild, with no fixed version to update to, is the definition of a zero day