ON 10 July 2026 the Cybersecurity and Infrastructure Security Agency added CVE‑2026‑48939 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation of a file upload flaw in the iCagenda Joomla extension.
The vulnerability, tracked as CVE‑2026‑48939, carries a CVSS base score of 10.0 and stems from an unrestricted file upload in the iCagenda attachment function that permits an attacker to place arbitrary files in a web‑accessible directory.
Once a malicious PHP file is uploaded, the attacker can trigger its execution by requesting the file directly, achieving remote code execution with the privileges of the web server process.
The addition to the KEV catalogue indicates that the flaw has been observed in the wild, although no specific threat actor has been linked to the activity; organisations using iCagenda should treat the issue as a priority for remediation.
Administrators should apply the latest patch released by the iCagenda vendor, review any unexpected files in the upload directory, and enforce strict whitelists on allowed file extensions to block future abuse.
Enabling logging for upload events, deploying a web application firewall rule that filters suspicious file types, and following CISA’s Binding Operational Directive 26‑04 on vulnerability remediation will help reduce exposure.