HTProtect.org
Independent information site on Joomla security vulnerabilities
DEEN
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

iCagenda – critical unauthenticated file upload

CriticalCVE: Not yet publicly assigned
Act now
Update iCagenda to version 4.0.8.
Download the secure version Go to the update steps

Secure version: iCagenda 4.0.8 · free download

At a glance

Affected extension
iCagenda – event calendar
Vendor
iCagenda
Type of flaw
Missing real login check in the event submission form → unauthenticated file upload
Affected versions
All versions before 4.0.8 (e.g. 4.0.7 and older)
Secure version
iCagenda 4.0.8   Download
Severity
Critical
CVE
Not yet publicly assigned
Joomla compatibility
Joomla 4 / 5
Status / published
Published: 15 June 2026

What is this about?

iCagenda is a widely used extension for event calendars. The form for submitting events lacked a real login check. As a result, even unauthenticated attackers could upload files – even when the form was actually intended for registered users only.

Affected are all versions before 4.0.8 (in particular 4.0.7 and older). The fix iCagenda 4.0.8 was released on 15 June 2026. A CVE number had not yet been publicly assigned at the time of the report.

Uploaded files typically end up under images/icagenda/frontend/. An .htaccess rule can prevent PHP execution in this folder – a sensible hardening measure, but it does not replace the update.

Time is a factor
Once technical details become public, automated scanners typically pick up such flaws within hours. Update promptly.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the iCagenda version

    Open ExtensionsManageManage and filter for "iCagenda".

  3. Assess the version

    If the version is below 4.0.8, action is urgently needed.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update iCagenda

    Select the iCagenda entry and click Update (target version 4.0.8).

  3. Verify the version

    Confirm that 4.0.8 is now installed.

Manual installation (alternative)
Alternatively, download the package from icagenda.com and install it via ExtensionsManageInstall. Important: do not restore old backup files – install version 4.0.8 cleanly.
Download the secure version

Official source: free download. Make sure you have at least iCagenda 4.0.8.

Has the site already been attacked?

Already-attacked sites need more than an update
Check the folder images/icagenda/frontend/ for foreign files. If compromised, a structured clean-up is required – simply deleting individual files is not enough.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Back to all vulnerabilities
Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now