CVE-2026-48939

PUBLISHED

Published: 20 Jun 2026, 11:56

Last modified:20 Jun 2026, 11:56

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

10 CRITICAL

v4.0 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

20 Jun 2026, 11:56

Published

Vulnerability first disclosed

Description

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

CVSS Metrics

v4.0•CRITICAL•Score: 10CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red

Techniques & Countermeasures

CWE-284•Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

icagenda.com•icagenda extension for joomla
1.0.0-3.9.14 | 4.0.0-4.0.7

References (1)

https://www.icagenda.com/