ctipilot.ch

iCagenda for Joomla — unauthenticated file-upload-to-RCE, exploited zero-day, CISA KEV

cve · CVE-2026-48939

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
JoomliC iCagenda

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-10/cve-2026-48939-icagenda-joomla-unauth-file-upload-rce-kev · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-10/cve-2026-48939-icagenda-joomla-unauth-file-upload-rce-kev · ATT&CK page ↗

Story timeline

  1. 2026-07-10CVE-2026-48939 — iCagenda for Joomla: unauthenticated file-upload-to-RCE, exploited as a zero-day, added to CISA KEV (CVSS 4.0 10.0)
    trending-vulnerabilitiesCISA KEV-lists an actively-exploited unauth RCE in the iCagenda Joomla extension — RCE hits Joomla 6, auth bypass hits all versions

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cisa.gov1 (50%)
  • mysites.guru1 (50%)

Related entities

Entries about iCagenda for Joomla — unauthenticated file-upload-to-RCE, exploited zero-day, CISA KEV (1)

2026-07-10 · view entry permalink →

HIGHCVE-2026-48939exploitedNATOB1

CVE-2026-48939 — iCagenda for Joomla: unauthenticated file-upload-to-RCE, exploited as a zero-day, added to CISA KEV (CVSS 4.0 10.0)

iCagenda's frontend "Submit an Event" form processed uploaded attachments by keeping the visitor-supplied file extension and writing the file straight to images/icagenda/frontend/attachments/ under the web root, with no extension allow-list and no content-type check (mySites.guru, 2026-06-15). Crucially, the "who may submit an event" access check was applied only in the view that decides whether to draw the form, never in the controller that processed the submission — so an attacker harvested a form token from any public iCagenda page and POSTed directly to the processing endpoint, bypassing the "Registered users only" setting entirely with no account. On Joomla 6 the uploaded .php file is web-served and executes, giving unauthenticated remote code execution; on Joomla 2.5 through 5, core upload filtering blocks the shell, but the same authorization bypass still lets an anonymous visitor create unapproved events (mySites.guru, 2026-06-15). CISA's dated alert confirms this as one of exactly two KEV additions on 2026-07-10 (CISA, 2026-07-10).

This is the fourth Joomla third-party extension in roughly a month to ship the same unauthenticated-upload-to-RCE shape surfaced by the same researcher, after the SP Page Builder, Page Builder CK and Balbooa Forms cluster — a recurring third-party-extension exposure for the Joomla estates common across Swiss and European municipal and public-sector web infrastructure.

iCagenda did not maintain its own allow-list of permitted extensions on this path, did not block `.php`, and did not check that the file was actually the image type it claimed to be.

A flaw being actively used in the wild, with no fixed version to update to, is the definition of a zero day

mySites.guru 2026-06-15
vulnerability10 Jul 20:34Zmulti-sourceOpen finding ↗
Sources: mySites.guru · CISA