On 15 June 2026 I released iCagenda 4.0.8 to fix a critical vulnerability in all earlier versions.

If you haven't updated yet, please do so immediately. This vulnerability has been actively exploited since 15 June at 8 a.m. UTC, and the attacks are automated and target Joomla sites on which iCagenda is installed.

Important Note: The update closes the entry point but does not full clean up an already compromised site. If you were affected by this vulnerability before the update, the security update will remove only what could have been added in the entry point, but not what the attacker left behind and we can't monitor.

After updating to version 4.0.8, an alert message will appear if iCagenda suspects your system is affected. Please read the information in this message carefully. If you do not see this alert message after the update is complete, your system may not be vulnerable, but we cannot guarantee this.

To allow everyone time to update before the details are made public, I will provide more information later. For now, please update.

The version 4.0.8 is for Joomla 4 up to latest Joomla 6 version.

I'm currently working on a 3.9.15 version to fix the security on Joomla 3 websites (but it's more than highly recommended to update your Joomla site to at least latest 5.4 version).

Come back here later to get more news about it.

If you have any questions please post on the forum or open a new support ticket if you own an active Pro Subscription.