>samit_hota
Back to advisories
SH-2026-091CriticalOpen

CISA Adds Actively Exploited Joomla iCagenda and Balbooa Forms RCEs to KEV Catalog

Samit Hota·
CVE ID
CVE-2026-48939, CVE-2026-56291
CVSS Score
N/A
Affected Products
Joomla iCagenda extension (versions up to 2.4.0), Joomla Balbooa Forms extension
#news#joomla

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two critical remote code execution (RCE) vulnerabilities affecting popular extensions for the Joomla content management system. These flaws, identified as CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in the Balbooa Forms extension, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, indicating that they are being actively exploited in the wild. This development underscores the severe risk these unpatched vulnerabilities pose to organizations utilizing these components. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of July 13, 2026, to implement the necessary patches to mitigate these threats, a recommendation that should be heeded by all organizations to prevent potential compromise.

Technical Details

CVE-2026-48939 impacts the iCagenda extension for Joomla, specifically within its “Submit an Event” form functionality. This vulnerability, present in versions up to and including 2.4.0, allows an unauthenticated attacker to upload arbitrary files without any login, CSRF token, or file type validation. This critical flaw means a malicious actor can upload a PHP file into a publicly accessible folder and then execute it, leading to unauthenticated remote code execution. This is considered one of the most severe outcomes for a web application vulnerability, as it grants attackers complete control over the compromised system. Reports indicate that this vulnerability has been actively exploited as a zero-day since June 15, 2026, targeting Joomla sites with the iCagenda extension installed through automated attacks. The flaw has been addressed in iCagenda version 2.4.1.

Similarly, CVE-2026-56291 affects the Balbooa Forms extension for Joomla, also enabling arbitrary file uploads that result in remote code execution. While specific technical details regarding the mechanism of exploitation for CVE-2026-56291 are less elaborated in the public advisories, its inclusion in the CISA KEV catalog alongside CVE-2026-48939, both with maximum severity ratings, confirms its critical nature and active exploitation. Both vulnerabilities leverage the ability to bypass security checks on file uploads, a common vector for web application compromises.

Real-World Impact

The immediate real-world impact of these vulnerabilities is substantial. Organizations that have deployed the affected iCagenda or Balbooa Forms extensions without applying the necessary patches are highly susceptible to compromise. Successful exploitation can lead to complete control of their Joomla-based websites, allowing attackers to:

  • Deface websites: Alter content, inject malicious scripts, or redirect visitors.
  • Exfiltrate sensitive data: Access and steal database contents, including user credentials, personal information, and proprietary business data.
  • Establish persistent backdoors: Maintain access to the compromised server for future attacks.
  • Use the compromised server as a pivot point: Launch further attacks against other systems within the network or host malicious content.
  • Integrate the server into botnets: Utilize the server’s resources for distributed denial-of-service (DDoS) attacks or cryptocurrency mining.

Given that Joomla is a widely used CMS, the potential scale of compromise is significant, affecting a broad range of entities from small businesses to large enterprises and government organizations.

Threat Landscape

The active exploitation of these vulnerabilities highlights a persistent challenge in the web application security landscape: the security of third-party components. Attackers frequently target popular extensions and plugins because they offer a broad attack surface and a single vulnerability can affect thousands of websites. The speed with which these flaws moved from disclosure (or in the case of iCagenda, suspected zero-day exploitation) to CISA’s KEV catalog underscores the rapid pace of current cyber threats and the agility of threat actors.

Furthermore, the nature of these vulnerabilities—unauthenticated remote code execution through file upload—is a favored technique for adversaries due to its effectiveness and straightforward exploitation. This scenario bypasses many traditional security controls and allows for a high degree of control post-exploitation. The ongoing campaigns targeting these flaws suggest a coordinated effort by threat actors to leverage known weaknesses in widely adopted software for various malicious purposes.

Remediation

Organizations using Joomla should take immediate action to address these critical vulnerabilities:

  1. Identify Affected Systems: Determine if your Joomla installations are using the iCagenda extension (versions up to 2.4.0) or the Balbooa Forms extension. Review your installed extensions and their versions.
  2. Apply Patches Immediately:
    • For iCagenda, update to version 2.4.1 or later.
    • For Balbooa Forms, consult the official Balbooa website or Joomla extension directory for the patched version and apply it without delay.
  3. Conduct a Compromise Assessment: Given that these vulnerabilities are actively exploited, assume potential compromise. Conduct a thorough forensic analysis of your systems to detect any indicators of compromise (IOCs), unauthorized access, or persistence mechanisms left by attackers.
  4. Review Access Logs: Scrutinize web server access logs for suspicious file uploads (especially PHP files in unexpected directories) and unusual execution patterns.
  5. Implement Web Application Firewall (WAF): Deploy or enhance WAF rules to detect and block suspicious file upload attempts and known exploit patterns targeting these vulnerabilities. While not a substitute for patching, a WAF can provide an additional layer of defense.
  6. Principle of Least Privilege: Ensure that file upload directories have appropriate permissions, restricting execution rights.
  7. Regular Security Audits: Continuously audit your web applications and their third-party components for vulnerabilities. Stay informed about new disclosures and maintain a proactive patching schedule.
  8. Backup and Recovery: Maintain up-to-date backups of your website data and configurations to enable rapid recovery in the event of a successful attack.

Failure to address these vulnerabilities promptly leaves organizations highly exposed to severe cyberattacks, potentially leading to data breaches, operational disruption, and reputational damage.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call