All incidents

CISA adds iCagenda file upload flaw (CVE-2026-48939) to KEV catalogue

incidentopenJul 10, 2026 — Jul 10, 2026

ON 10 July 2026 the Cybersecurity and Infrastructure Security Agency added CVE‑2026‑48939 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation of a file upload flaw in the iCagenda Joomla extension.

The vulnerability, tracked as CVE‑2026‑48939, carries a CVSS base score of 10.0 and stems from an unrestricted file upload in the iCagenda attachment function that permits an attacker to place arbitrary files in a web‑accessible directory.

Once a malicious PHP file is uploaded, the attacker can trigger its execution by requesting the file directly, achieving remote code execution with the privileges of the web server process.

The addition to the KEV catalogue indicates that the flaw has been observed in the wild, although no specific threat actor has been linked to the activity; organisations using iCagenda should treat the issue as a priority for remediation.

Administrators should apply the latest patch released by the iCagenda vendor, review any unexpected files in the upload directory, and enforce strict whitelists on allowed file extensions to block future abuse.

Enabling logging for upload events, deploying a web application firewall rule that filters suspicious file types, and following CISA’s Binding Operational Directive 26‑04 on vulnerability remediation will help reduce exposure.

Intelligence briefing updated Jul 10, 2026

CVE-2026-48939 10.0 KEV
Root sourcenvd.nist.gov
Timeline Coverage

Swipe to explore timeline