ON 10 July 2026 the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑48939 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw resides in iCagenda’s iCagenda product and is named the iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability. It permits an attacker to upload arbitrary files through the attachment function, which can then be executed as PHP code on the affected server.
The vulnerability is classified as an unrestricted file‑upload issue. Successful exploitation lets an attacker place a malicious file on the web‑accessible upload directory and trigger its execution, leading to remote code execution with the privileges of the web server. The Common Vulnerability Scoring System assigns a base score of 10.0, rating the issue as CRITICAL. A patch has been released; administrators should upgrade to iCagenda version 3.9.15 or later, which is available from the vendor’s changelog.
Because the flaw is being actively exploited in the wild, CISA placed it in the KEV list. No public reports link this vulnerability to ransomware campaigns at this time. Federal Civilian Executive Branch (FCEB) agencies must apply the required mitigations by the CISA remediation due date of 13 July 2026. All other organisations are urged to assess their exposure and prioritise patching.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with Binding Operational Directive (BOD) 26‑04, which prioritises security updates based on risk, and to follow the agency’s Forensics Triage Requirements. Stakeholders must evaluate each asset’s internet exposure and adhere to BOD 26‑04 patching guidelines; if mitigations cannot be applied, the product should be discontinued for cloud services or otherwise removed from use. While the directive binds FCEB agencies, CISA advises all organisations to review their iCagenda deployments and implement the patch promptly.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48939 and the CISA KEV catalogue.