CVE-2026-48939: iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability

Summary

A critical vulnerability, CVE-2026-48939, has been identified in iCagenda that allows for the unrestricted upload of dangerous file types. This could lead to the execution of arbitrary PHP code on affected systems.

IFF Assessment

FOE

This vulnerability allows for arbitrary file uploads and code execution, posing a direct threat to system integrity and security.

Severity

9.8 Critical

The vulnerability allows for Remote Code Execution through unrestricted file uploads of dangerous types, leading to a high impact on Confidentiality, Integrity, and Availability. The attack vector is network, and it is highly exploitable.

CISA KEV: Listed as actively exploited. Federal patch due: July 13, 2026. Known ransomware use: Unknown.

Defender Context

This vulnerability highlights the ongoing risk of insecure file upload features in web applications. Defenders should prioritize patching or mitigating affected iCagenda instances and remain vigilant for exploitation attempts, especially those involving ransomware.

Read Full Story →