iCagenda security vulnerability: update Joomla to 4.0.8 now
For the Joomla event extension iCagenda (by JoomliC), version 4.0.8 was released today, June 15, 2026 - a security update you should not put off until tomorrow. It closes a critical iCagenda security vulnerability that could allow an unauthenticated attacker to submit events and upload a file to the server in the process. According to the reporter, this Joomla vulnerability is already being actively exploited.
The technical details are currently being deliberately withheld, and a CVE number has not yet been assigned publicly - that gives you a small head start. You should use it: once the details become known, automated scanners typically pick up such vulnerabilities within hours. If you use iCagenda, it is best to apply the Joomla update today.
What is iCagenda - and who is affected?
iCagenda is a widely used event component for Joomla: an event calendar that lets you display dates and - depending on the configuration - also allows visitors to submit them. That submission function is exactly the vulnerable point.
All iCagenda versions before 4.0.8 are affected, including the currently latest 4.0.7. It does not matter whether the submission form is visibly embedded on your site - the site is vulnerable as soon as iCagenda is installed in an outdated version.
How to check your installed version:
- Log in to the Joomla backend
- Go to Extensions - Manage
- Filter by iCagenda and check the version number
If it shows a version lower than 4.0.8, there is an urgent need to act.
The vulnerability in simple terms
Imagine the event submission form as a door with a doorbell. The doorbell - technically the CSRF token - was checked. But nobody verified whether the person ringing the bell actually had a key. That was exactly the problem: the form's submission handler checked only the security token, but not whether the sender was logged in and authorized.
This is what makes it so tricky, because Joomla also generates a valid session, including a token, for anonymous visitors. A valid token therefore only proves that the request comes from a real session - not that an authorized user is behind it. This allowed an unauthenticated attacker to submit an event and upload a file - even if the form was actually restricted to registered users (which is the default). In essence, this is an unauthenticated file upload; the uploaded file ends up in images/icagenda/frontend/.
Version 4.0.8 closes this by adding a real login check, an access level check, and menu validation. (Determined by a direct comparison of the source code of 4.0.7 and 4.0.8.)
What to do now, specifically
Update iCagenda to Version 4.0.8 - today, not someday. The update is the only measure that truly closes the vulnerability.
How to update iCagenda
- Log in to the Joomla backend
- Go to System - Update - Extensions
- Click Check for Updates
- Select the iCagenda entry and click Update
If no update appears, download the package directly from icagenda.com and install it via Extensions - Manage - Install.
Important: If you removed the component earlier, do not restore old files from a backup. Instead, install 4.0.8 cleanly from scratch - otherwise you may bring the vulnerability or already planted malicious code back onto your site.
Has my site already been attacked?
Because the vulnerability can be exploited without logging in and leaves an upload behind, you can specifically look for traces. Watch out for:
- foreign or unexpected files under
images/icagenda/frontend/, especially with a script extension (for example.php) or a suspicious timestamp - unknown or nonsensical submitted events that you did not create or approve yourself
- unusual files in other parts of the webspace as well as new admin accounts you do not recognize
If you find any of this, consider the site compromised. Then do not simply delete the suspicious file, but proceed systematically: secure evidence (logs, files, timestamps), thoroughly scan the entire webspace for malware - not just iCagenda -, and then change all passwords and secrets. A deployed update does not remove malware that has already been placed.
Additional protection (not a replacement for the update): server hardening
The update remains the first and most important step. As a second line of defense, server hardening helps: a suitable .htaccess that blocks PHP execution in the images folder ensures that a PHP file placed there does not even start. This neutralizes the most dangerous consequence - a Remote Code Execution - but prevents neither the upload itself nor injected spam events. Without the update, the vulnerability remains open; hardening only mitigates the worst outcome.
The free component HTProtect handles exactly this hardening automatically: it blocks PHP execution in upload and media folders and alerts you via a warning list as soon as an installed extension - such as iCagenda before 4.0.8 - is known to be vulnerable. A malware scan also finds dropper files that have already been placed. However, neither can replace the update.
Not sure whether your Joomla site uses iCagenda or is already affected? We will check that for you and, in an emergency, clean the entire webspace, not just the one component. Also take a look at our immediate help for hacked Joomla sites.
Conclusion
The iCagenda security vulnerability is critical, the fix is available, and the details will be made public soon. If you use iCagenda, there is only one sensible sequence: update to iCagenda 4.0.8 today and then briefly check whether anything has already been uploaded. Server hardening and monitoring come after that - they do not replace the update.
Source: official release by the developer on icagenda.com or joomlic.com.
- Details
- Last Updated: 15 June 2026
