[KEV] CVE-2026-48939 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-48939 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-48939 is an unrestricted file upload vulnerability in iCagenda, a Joomla-based event management extension, affecting the file attachment feature and allowing unauthenticated or authenticated attackers to upload and execute arbitrary PHP files on the server.
Technical Detail
The flaw exists because iCagenda fails to properly validate or restrict the file types accepted through its attachment upload functionality, permitting an attacker to submit a PHP file where only benign document types should be accepted. Once the malicious file is written to a web-accessible directory, the attacker can issue an HTTP request to that path, triggering server-side PHP execution and achieving remote code execution (RCE) on the underlying host. Successful exploitation grants the attacker the ability to run arbitrary commands under the web server process context, which can lead to full server compromise, data exfiltration, or deployment of additional payloads.
Exploitation Status
CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on July 10, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks, not merely as a proof-of-concept demonstration. Organizations running iCagenda should treat this as an actively weaponized vulnerability requiring immediate response.
Who Is Targeting This
No confirmed, ATTAX-verified threat actor attribution is available at this time. Reported (research-inferred) actors associated with this vulnerability at medium confidence include DEEPPANDA, CARBANAK, LOTUSBLOSSOM, AXIOM, and MOONSTONESLEET. The motivations and origins of these actors in relation to this specific vulnerability have not been established. These attributions should be treated as investigative leads rather than confirmed findings, and no targeted sectors or active campaigns have been formally linked to this CVE.
What To Do
Per CISA's Known Exploited Vulnerabilities catalog, organizations subject to BOD 22-01 must apply mitigations or patch by the deadline associated with the July 10, 2026 listing date, which is typically 21 days from addition for federal civilian executive branch agencies. All operators of iCagenda should update to the latest patched version immediately. If a patch is not yet available or cannot be applied immediately, administrators should disable the file attachment feature in iCagenda's configuration, enforce server-level restrictions blocking PHP execution in upload directories via web server configuration rules, and audit existing upload directories for any previously deposited PHP files. Detection efforts should focus on web server access logs for requests to upload directories returning HTTP 200 responses, and on file system monitoring for newly created PHP files in web-accessible paths.