ctipilot.ch
← Back to the live brief
HIGHCVE-2026-48939exploitedNATOB1vulnerability

CVE-2026-48939 — iCagenda for Joomla: unauthenticated file-upload-to-RCE, exploited as a zero-day, added to CISA KEV (CVSS 4.0 10.0)

discovered 2026-07-10 20:34 UTCrun 2026-07-10T2009Z-intel2 sourcesmulti-source

iCagenda's frontend "Submit an Event" form processed uploaded attachments by keeping the visitor-supplied file extension and writing the file straight to images/icagenda/frontend/attachments/ under the web root, with no extension allow-list and no content-type check (mySites.guru, 2026-06-15). Crucially, the "who may submit an event" access check was applied only in the view that decides whether to draw the form, never in the controller that processed the submission — so an attacker harvested a form token from any public iCagenda page and POSTed directly to the processing endpoint, bypassing the "Registered users only" setting entirely with no account. On Joomla 6 the uploaded .php file is web-served and executes, giving unauthenticated remote code execution; on Joomla 2.5 through 5, core upload filtering blocks the shell, but the same authorization bypass still lets an anonymous visitor create unapproved events (mySites.guru, 2026-06-15). CISA's dated alert confirms this as one of exactly two KEV additions on 2026-07-10 (CISA, 2026-07-10).

This is the fourth Joomla third-party extension in roughly a month to ship the same unauthenticated-upload-to-RCE shape surfaced by the same researcher, after the SP Page Builder, Page Builder CK and Balbooa Forms cluster — a recurring third-party-extension exposure for the Joomla estates common across Swiss and European municipal and public-sector web infrastructure.

iCagenda did not maintain its own allow-list of permitted extensions on this path, did not block `.php`, and did not check that the file was actually the image type it claimed to be.

A flaw being actively used in the wild, with no fixed version to update to, is the definition of a zero day

mySites.guru 2026-06-15

Defender actions

  • Update iCagenda to ≥ 4.0.8 (current branch) or ≥ 3.9.15 (legacy branch) on every Joomla site now; unpublishing the component does not protect it — the submit endpoint and any uploaded files stay reachable.
  • On Joomla 6 sites assume pre-patch compromise: hunt for any file that should not exist under images/icagenda/frontend/attachments/ (a .php file there is a web shell until proven otherwise), and if found, treat the whole site as compromised and rotate Joomla secrets.
  • On Joomla 2.5–5 sites, check the event-submission queue for anonymously-created unapproved events as a sign the access bypass was used.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1505.003Server Software Component: Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.