🔴 Critical | Source: CISA Known Exploited Vulnerabilities
A critical vulnerability in the iCagenda Joomla extension allows attackers to upload arbitrary files — including PHP scripts — via the file attachment feature, enabling remote code execution on the hosting server. This flaw has been confirmed as actively exploited and added to CISA’s Known Exploited Vulnerabilities catalogue, with a remediation deadline of 13 July 2026. Any site running iCagenda is at risk of full server compromise if left unpatched.
Security Architect’s Take: Audit all Joomla deployments across your estate for the iCagenda extension and apply the vendor patch or disable the file attachment feature immediately; additionally, ensure web application firewall rules block PHP file uploads and that your hosting environment restricts execution permissions in upload directories.
Original advisory: CVE-2026-48939: iCagenda iCagenda