
CISA has added two exploited Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog after attackers were observed abusing arbitrary file upload paths that can lead to remote code execution.
The flaws are CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms. Both are rated critical. Both involve unsafe upload handling in public-facing Joomla extension functionality. And both show why CMS security cannot stop at the Joomla core version.
For defenders, the important part is not only that patches exist. It is that these are attacker-tested vulnerabilities in extension code that may sit on public websites, agency portals, campaign pages, event calendars, and small business sites long after the core CMS has been kept current.
CISA added the two Joomla extension issues to KEV on July 10, 2026, with a July 13 remediation deadline for covered federal agencies. The agency's entries require mitigations in line with vendor instructions and BOD 26-04 risk-based patching guidance.
The two entries are:
CVE-2026-48939, an iCagenda unrestricted upload of file with dangerous type vulnerabilityCVE-2026-56291, a Balbooa Forms unrestricted upload of file with dangerous type vulnerabilityNVD now shows both CVEs in CISA's KEV catalog. For both entries, CISA's SSVC enrichment marks exploitation as active, exploitability as automatable, and technical impact as total. That combination is the operational signal: reachable vulnerable systems should not be treated as normal backlog items.
The weakness class is familiar. A file upload feature accepts a dangerous file type, writes it somewhere reachable, and the web server can execute it. Once that happens, the bug is no longer just a form-validation issue. It becomes remote code execution.
iCagenda is a Joomla extension for event registration, calendars, and event submission workflows. The vulnerability, CVE-2026-48939, affects the extension's frontend event submission flow.
According to NVD, the flaw allows arbitrary file upload in the file attachment feature, ultimately resulting in PHP code upload and execution. The CVE carries a CVSS v4 score of 10.0 from the CNA and a CVSS v3.1 score of 9.8 from NVD.
mySites.guru, which found and reported the issue, says the serious path is an unauthenticated upload-to-RCE bug in the public "Submit an Event" form. The uploaded attachment could keep a dangerous extension and land under a web-served path. On Joomla 6, that could allow a PHP web shell to be uploaded and executed.
There is a nuance here that matters for triage. mySites.guru and the vendor-scoped advisory indicate that the upload-to-shell path applies to Joomla 6 because earlier Joomla versions block unsafe uploads in core by default. But affected iCagenda versions also had a lower-severity access-control issue in the same submission flow, and administrators should update regardless of Joomla major version.
Affected iCagenda versions include the 3.x line from 3.2.1 through 3.9.14 and the 4.x line through 4.0.7. Fixes are available in 3.9.15 for the legacy branch and 4.0.8 for the current branch.
Balbooa Forms is a Joomla form builder with support for contact forms and file uploads. CVE-2026-56291 affects Balbooa Forms versions 1.0 through 2.4.0, with a fix in 2.4.1.
NVD describes the vulnerability as an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. The Joomla Project's CVSS v4 score is 10.0, and NVD's CVSS v3.1 score is 9.8.
BleepingComputer reported that CISA warned attackers are exploiting both iCagenda and Balbooa Forms to achieve remote code execution through arbitrary file uploads. mySites.guru says the Balbooa Forms issue was exploited as a zero-day, with attacks observed before the vendor released the fix.
This is the uncomfortable part for website owners: a feature that looks ordinary from the business side, such as "let visitors attach a file to a form," can become an unauthenticated server takeover path if extension code does not enforce strict upload validation, server-side type checks, storage controls, and execution prevention.
Many organizations can answer "which CMS do we run?" faster than they can answer "which extensions are installed across every site, on which version, and exposed through which public forms?"
That gap is where these bugs live.
Joomla, WordPress, Drupal, Magento, and other CMS ecosystems are built around plugins, modules, extensions, themes, page builders, form builders, calendars, SEO tools, galleries, editors, and integration components. Those add-ons often carry the business functionality that makes a website useful. They also carry code that receives public input.
When a core CMS is patched but an extension remains old, the public attack surface is still exposed. A login page may be hardened, the admin panel may be behind MFA, and the operating system may be up to date, while a forgotten event form or file upload route remains reachable to anyone on the internet.
That is why extension inventory is not a nice-to-have. It is part of incident response readiness and vulnerability management. If a KEV entry names an extension, teams need to find the extension quickly, not discover it manually site by site after exploitation starts.
The usual exploitation path is direct. An attacker submits a crafted upload to a vulnerable endpoint, places a PHP file or other executable content under a web-served directory, then requests that file to run commands on the server.
From there, the attacker may be able to:
The real impact depends on hosting architecture, permissions, segmentation, and what the Joomla instance can reach. A small brochure site on isolated hosting is different from a customer portal connected to CRM, payment, email, or internal admin systems. But any unauthenticated file-upload RCE on a public site deserves urgent handling.
Start with inventory. Identify every Joomla site, including production, staging, old campaign sites, microsites, regional sites, agency-managed sites, and sites hosted outside the main cloud or corporate network.
Then search for the affected extensions:
For iCagenda, update to 4.0.8 or later on the current branch, or 3.9.15 or later on the legacy branch. For Balbooa Forms, update to 2.4.1 or later. Confirm the version after deployment.
Do not rely only on whether the extension is visible in a public menu. If the component is installed and the vulnerable route remains reachable, hiding or unpublishing a page may not be enough. Review vendor guidance and remove unused extensions entirely when possible.
Next, reduce upload risk:
.php, .phtml, or executable files under media and attachment pathsThe server control is important. Application patches fix the vulnerable code path, but upload directories should not be places where arbitrary server-side code can execute.
Because these flaws were exploited, patching is only the first half of the response. The second half is checking whether attackers arrived before the update.
Useful checks include:
.htaccess rulesIf a web shell is found, assume compromise. Preserve evidence, take the site out of rotation if needed, rotate database and CMS credentials, review hosting panel access, and rebuild from known-good media where trust is lost.
For shared hosting, also check whether the same account hosts multiple sites. A web shell in one Joomla install may expose other applications under the same user, even if those applications are not running iCagenda or Balbooa Forms.
The defender lesson is simple but often neglected: extension exposure is website exposure.
Security teams should treat CMS add-ons as first-class assets. That means maintaining a central extension inventory, tracking versions, removing abandoned components, monitoring KEV and vendor advisories for extension names, and making it easy to patch dozens of sites quickly.
It also means changing the way website risk is discussed. "Joomla is up to date" is not enough. The operational question is:
For agencies, managed service providers, web shops, universities, municipalities, nonprofits, and companies with many small websites, that last question is often the hard one. Attackers automate discovery. Defenders need to automate inventory.
CVE-2026-48939 is an arbitrary file upload vulnerability in the iCagenda Joomla extension. CVE-2026-56291 is an unauthenticated arbitrary file upload vulnerability in the Balbooa Forms Joomla extension. Both can lead to remote code execution.
Yes. CISA added both flaws to the Known Exploited Vulnerabilities catalog, and CISA's SSVC enrichment marks exploitation as active.
iCagenda is fixed in 4.0.8 for the current branch and 3.9.15 for the legacy branch. Balbooa Forms is fixed in 2.4.1.
No. These are vulnerabilities in third-party Joomla extensions. That is why defenders need extension-level inventory, not only CMS core version tracking.
Check for compromise. Review web logs, upload directories, new or modified PHP files, Joomla administrator accounts, template changes, redirects, and suspicious outbound activity. If a web shell is found, handle it as a security incident.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights delivered to your inbox.