>samit_hota
Back to advisories
SH-2026-056HighOpen

CISA Adds Actively Exploited iCagenda and Balbooa Forms Vulnerabilities to KEV Catalog

Samit Hota·
CVE ID
CVE-2026-48939, CVE-2026-56291
CVSS Score
N/A
Affected Products
iCagenda (Joomla component), Balbooa Forms (Joomla component)
#news#cisa

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has added two new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Published on July 10, 2026, these vulnerabilities, CVE-2026-48939 affecting iCagenda and CVE-2026-56291 impacting Balbooa Forms, are both categorized as “Unrestricted Upload of File with Dangerous Type” flaws. These types of vulnerabilities are frequently leveraged by malicious cyber actors and pose significant risks, particularly within federal enterprises. CISA’s directive under Binding Operational Directive (BOD) 26-04 mandates that Federal Civilian Executive Branch (FCEB) agencies prioritize rapid remediation of vulnerabilities listed in the KEV Catalog, especially on publicly exposed assets that grant total control post-exploitation.

Technical Details

Both CVE-2026-48939 and CVE-2026-56291 are unrestricted file upload vulnerabilities, which are critical flaws that allow an attacker to upload arbitrary files, including malicious scripts or web shells, to a server.

  • CVE-2026-48939 (iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability): This vulnerability affects iCagenda, a popular event management component for Joomla. An attacker exploiting this flaw could upload a file with a dangerous type (e.g., a PHP script) to the web server. If successfully executed, this could lead to remote code execution (RCE) in the context of the web server, allowing the attacker to gain control over the affected Joomla instance.
  • CVE-2026-56291 (Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability): Similarly, this vulnerability is present in Balbooa Forms, another widely used form builder component for Joomla. An attacker could exploit this by uploading a malicious file, bypassing typical file type restrictions. Successful exploitation would grant the attacker the ability to execute arbitrary code on the server, potentially leading to full compromise of the Joomla website and the underlying server infrastructure.

These types of vulnerabilities are particularly dangerous because they bypass security checks intended to prevent the execution of unauthorized code.

Real-World Impact

The real-world impact of unrestricted file upload vulnerabilities, especially when under active exploitation, can be severe. For organizations running vulnerable instances of iCagenda or Balbooa Forms on their Joomla websites, successful exploitation can lead to:

  • Remote Code Execution (RCE): Attackers can execute arbitrary commands on the affected server, leading to full compromise.
  • Website Defacement: Malicious content can be uploaded and displayed on the website.
  • Data Theft: Sensitive data stored on the server or connected databases can be exfiltrated.
  • Malware Distribution: The compromised website can be used to host and distribute further malware to visitors.
  • Lateral Movement: Attackers can use the compromised server as a foothold to move laterally within the network.
  • Supply Chain Attacks: If the affected Joomla instance is part of a larger web infrastructure or provides services to other entities, it could serve as a vector for broader supply chain attacks.

For FCEB agencies, failure to remediate these vulnerabilities rapidly can result in significant security breaches, data compromise, and non-compliance with BOD 26-04, potentially leading to audits and penalties.

Threat Landscape

Unrestricted file upload vulnerabilities have been a consistent feature of the threat landscape for web applications. They are highly sought after by attackers because they often provide a direct path to remote code execution, which is the “holy grail” for many cyberattacks. The active exploitation of these specific vulnerabilities in iCagenda and Balbooa Forms indicates that threat actors are actively scanning for and targeting Joomla websites using these components. This makes the affected systems critical targets for various malicious activities, ranging from simple defacement to sophisticated data exfiltration and persistent access. The inclusion in CISA’s KEV Catalog underscores the urgency and widespread nature of the threat, confirming that these are not theoretical flaws but actively weaponized attack vectors. The broad adoption of content management systems like Joomla means that a significant number of organizations could be at risk.

Remediation

CISA’s inclusion of CVE-2026-48939 and CVE-2026-56291 in its KEV Catalog mandates that FCEB agencies remediate these vulnerabilities by specified deadlines. For all organizations using iCagenda or Balbooa Forms, immediate action is crucial:

  • Apply Patches Immediately: Organizations must apply the latest security updates and patches provided by the developers of iCagenda and Balbooa Forms. If patches are not yet available, seek official vendor advisories for mitigation strategies.
  • Remove or Disable Vulnerable Components: If immediate patching is not feasible, consider temporarily disabling or removing the iCagenda and Balbooa Forms components until a fix can be applied, if their functionality is not critical.
  • Web Application Firewall (WAF): Implement or strengthen Web Application Firewall rules to detect and block attempts to upload dangerous file types and prevent exploitation of these vulnerabilities.
  • Input Validation and File Upload Security: Review and enhance server-side input validation and file upload mechanisms to strictly enforce file type, size, and content restrictions.
  • Regular Security Audits: Conduct regular security audits and penetration testing of web applications, especially those running third-party components, to identify and address vulnerabilities proactively.
  • Monitor for Compromise: Monitor web server logs and network traffic for any signs of compromise, such as unusual file uploads, unexpected process execution, or outbound connections.
  • Least Privilege: Ensure that the web server process runs with the minimum necessary privileges to limit the impact of a successful exploit.

By taking these steps, organizations can significantly reduce their exposure to these actively exploited vulnerabilities and protect their web assets from compromise.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call