Jul 16, 2026·5 min read·4 visits
Unauthenticated arbitrary file upload in iCagenda allows remote code execution via direct POST requests to controller endpoints.
CVE-2026-48939 is a critical vulnerability in the iCagenda events calendar extension for Joomla that allows unauthenticated remote attackers to execute arbitrary code via unrestricted file uploads. The flaw stems from a lack of server-side validation of file uploads and missing authorization checks at the controller level. Successful exploitation results in complete compromise of the affected web application host.
CVE-2026-48939 is a critical zero-day vulnerability affecting the iCagenda events calendar extension for Joomla Content Management System (CMS) platforms. The flaw allows remote, unauthenticated attackers to execute arbitrary code on the target server by exploiting an unrestricted file upload vulnerability.\n\nThe vulnerability exists because the software implements access control checks solely on the frontend presentation layer while leaving the corresponding backend controller endpoint entirely open to unauthenticated operations. Consequently, an attacker can bypass the restriction settings configured by system administrators.\n\nFurthermore, the component lacks server-side validation mechanisms for file types, extensions, or MIME types. Files uploaded through this channel are stored directly in a web-accessible directory, allowing direct command execution when requested.
The root cause of CVE-2026-48939 lies in the combination of missing authorization checks (CWE-284) and unrestricted file uploads (CWE-434). The frontend forms within the com_icagenda component check if a user has permission to upload event registration attachments, but the backend controller does not validate the session of incoming requests.\n\nWhen a request is made to the registration.submit or submit controller tasks, the system executes the upload process without verifying whether the source is authenticated. This operational separation between the view and controller layers is a common architectural flaw in legacy extensions.\n\nAdditionally, the file handling logic lacks an allowlist check for extensions. Uploaded files are directly written to /images/icagenda/frontend/attachments/ without modifications to their names or extensions, and the directory allows the execution of PHP scripts by default.
The vulnerable implementation fails to perform standard authorization checks before processing file uploads. The backend code processes input files directly from the request object and saves them to the file system.\n\nphp\n// Vulnerable Code Logic\npublic function submit() {\n // Missing user access control validation\n $app = JFactory::getApplication();\n $file = $this->input->files->get('jform');\n \n // Directly saving the attachment without type validation\n if (isset($file['attachment'])) {\n $dest = JPATH_SITE . '/images/icagenda/frontend/attachments/' . $file['attachment']['name'];\n move_uploaded_file($file['attachment']['tmp_name'], $dest);\n }\n}\n\n\nTo resolve this issue, the updated version of iCagenda introduces user access control checks and file extension validation. The patched logic enforces specific checks before executing the upload routine.\n\nphp\n// Patched Code Logic\npublic function submit() {\n // Enforce authorization checks at the controller level\n $user = JFactory::getUser();\n if (!$user->authorise('core.create', 'com_icagenda')) {\n throw new Exception(JText::_('JERROR_ALERTNOAUTHOR'), 403);\n }\n\n $file = $this->input->files->get('jform');\n if (isset($file['attachment'])) {\n $fileName = $file['attachment']['name'];\n $ext = strtolower(JFile::getExt($fileName));\n $allowedExts = ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'zip'];\n\n // Strictly validate file extension\n if (!in_array($ext, $allowedExts)) {\n throw new Exception(JText::_('COM_ICAGENDA_ERROR_INVALID_FILE_TYPE'), 400);\n }\n\n $dest = JPATH_SITE . '/images/icagenda/frontend/attachments/' . JFile::makeSafe($fileName);\n move_uploaded_file($file['attachment']['tmp_name'], $dest);\n }\n}\n
An attacker can exploit this vulnerability by sending a multipart HTTP POST request targeting the unprotected backend controller tasks. The request contains the payload representing a PHP web shell disguised as an attachment.\n\nmermaid\ngraph LR\n A["Attacker Component"] -->|"1. POST /index.php?option=com_icagenda&task=registration.submit"| B["Joomla Backend Controller"]\n B -->|"2. Unvalidated File Write"| C["Upload Directory: /images/icagenda/frontend/attachments/"]\n A -->|"3. HTTP GET to uploaded PHP shell"| C\n C -->|"4. Command Execution Output"| A\n\n\nOnce the upload is successful, the attacker sends a standard GET request to the uploaded script path. Because the target directory has execution permissions enabled, the server's PHP processor interprets the script and executes any commands appended via URL parameters.\n\nThis behavior makes scanning and weaponization of the target easy to automate. Exploit scripts frequently perform verification requests to identify the presence of the component, upload a test script, execute a simple proof-of-concept command, and then delete the uploaded script to evade detection.
The impact of CVE-2026-48939 is classified as critical, receiving a maximum CVSS v4.0 score of 10.0. A successful exploit grants unauthenticated attackers remote command execution under the privileges of the web server user.\n\nWith command execution capabilities, attackers can read sensitive configuration files, including Joomla's configuration.php which holds database credentials. Attackers can then extract, modify, or delete database tables, compromising application data integrity.\n\nFurthermore, this vulnerability can serve as an entry point for deeper network intrusion, ransomware installation, and persistence mechanisms. Due to the ease of automated discovery, the vulnerability has been utilized in widespread scanning campaigns as cataloged by CISA.
Securing affected installations requires immediate updates to the latest software versions. Administrators should update iCagenda components to 4.0.8 or 3.9.15 depending on their Joomla system version.\n\nIf immediate software updates are not feasible, administrators must implement server-level controls to prevent script execution within the uploads folder. For Apache servers, an .htaccess file can be placed inside the attachments directory to deny PHP execution.\n\napache\n# Deny execution of PHP files within the directory\n<FilesMatch "\\.(php|phtml|php3|php4|php5|phar|pht)$">\n Order Deny,Allow\n Deny from all\n</FilesMatch>\n\n\nFor Nginx servers, matching patterns inside the server configuration should be defined to block script requests from execution directories.\n\nnginx\n# Block execution of scripts inside uploads directory\nlocation ~* ^/images/.*\\.php$ {\n deny all;\n return 403;\n}\n
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red| Product | Affected Versions | Fixed Version |
|---|---|---|
iCagenda Joomlic | >= 3.2.1, < 3.9.15 | 3.9.15 |
iCagenda Joomlic | >= 4.0.0, < 4.0.8 | 4.0.8 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-434, CWE-284 |
| Attack Vector | Network |
| CVSS Score | 10.0 (Critical) |
| Exploit Status | Active exploitation in the wild |
| CISA KEV Status | Listed on July 10, 2026 |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
A Denial of Service (DoS) vulnerability in the Rust crate `serde_with` arises from an integer underflow and uncontrolled memory allocation during the processing of empty collections using the `KeyValueMap` helper. Depending on the build profile, this flaw leads to an immediate thread panic (debug) or process abort due to an out-of-memory condition (release).
A high-severity vulnerability exists in the adawolfa/isdoc PHP library before versions 1.4.1 and 2.0.0. The library fails to restrict or validate the sizes of files extracted from untrusted Zip archives (.isdocx container files) or PDF embedded streams. This allows remote attackers to perform decompression bomb attacks, causing denial of service via memory or disk exhaustion.
A critical remote code execution vulnerability exists in django-haystack prior to version 3.4.0. The vulnerability stems from the Elasticsearch 1.x search backend incorrectly processing aliased search result fields, leading to the unsafe execution of user-supplied strings using Python's built-in eval() function.
The obsidian-local-rest-api plugin prior to version 4.1.3 is vulnerable to an authenticated path traversal flaw in its /vault/{path} endpoints. An authenticated attacker can bypass the vault root boundary using URL-encoded directory traversal sequences to perform unauthorized operations on the host filesystem.
An authenticated Server-Side Request Forgery (SSRF) vulnerability in Koel, an open-source personal music streaming server, allows remote attackers to probe internal hosts and loopback addresses. The vulnerability arises due to a missing 'bail' validation rule in the Laravel-based form validation pipeline, which permits downstream HTTP checks to execute even after a URL has failed security verification.
A Server-Side Request Forgery (SSRF) vulnerability in the open-source personal music streaming server Koel allows authenticated Subsonic API users to perform unauthorized network queries. This flaw resides in both the Subsonic podcast feed import routine and the subsequent redirect handling inside the podcast streaming helper, exposing private local networks and internal loopback systems to unauthorized reconnaissance and interaction.