CVE-2026-48939: iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
Summary
A critical vulnerability, CVE-2026-48939, has been identified in iCagenda that allows for the unrestricted upload of dangerous file types. This could lead to the execution of arbitrary PHP code on affected systems.
IFF Assessment
This vulnerability allows for arbitrary file uploads and code execution, posing a direct threat to system integrity and security.
Severity
The vulnerability allows for Remote Code Execution through unrestricted file uploads of dangerous types, leading to a high impact on Confidentiality, Integrity, and Availability. The attack vector is network, and it is highly exploitable.
CISA KEV: Listed as actively exploited. Federal patch due: July 13, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability highlights the ongoing risk of insecure file upload features in web applications. Defenders should prioritize patching or mitigating affected iCagenda instances and remain vigilant for exploitation attempts, especially those involving ransomware.