iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
CISA adds two Joomla extension zero-day flaws to KEV catalog amid active exploitation.
Summary
CISA has added two critical vulnerabilities in Joomla extensions, iCagenda and Balbooa Forms, to its Known Exploited Vulnerabilities catalog due to reports of zero-day exploitation. Both flaws, rated 10.0 CVSS, allow arbitrary file uploads leading to remote code execution. Exploitation of the iCagenda vulnerability has been observed since June 15, 2026, while the Balbooa Forms flaw was discovered during a live attack on July 8, 2026.
Full text
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days Ravie LakshmananJul 13, 2026Vulnerability / Web Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939 - A vulnerability in the iCagenda extension for Joomla that allows the upload of arbitrary files via the file attachment feature, leading to PHP code upload and execution. CVE-2026-56291 - A vulnerability in the Balbooa Forms extension for Joomla that allows the upload of arbitrary files, leading to remote code execution. According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 is said to have been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. It resides in the "Submit an Event" form functionality, which lets users propose events for the calendar. "We first saw it in a client's access log: an automated scanner identifying itself as 'icagenda-batch/1.0' grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to," mySites.guru said. The flaw impacts the following versions - 4.x versions up to and including 4.0.7 Legacy 3.x versions from 3.2.1 up to and including 3.9.14 JoomliC has since released updates to address the issue in iCagenda versions 4.0.8 and 3.9.15. Site owners are advised to check for suspicious PHP files in the "images/icagenda/frontend/attachments/" folder and remove them. MySites.guru said it also observed zero-day exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. It has been patched in version 2.4.1. "Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type," it said. "An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have." The vulnerability was discovered by mySites.guru on July 8, 2026, following a live attack on one of its customers. It has shared the following indicators of compromise - Look in the Balbooa Forms upload folder (by default "images/baforms/uploads") for any file that is not an image or document, especially anything ending in PHP Check the Joomla user list for suspicious administrator accounts Audit the set for recently modified or unfamiliar PHP files across the site In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until July 13, 2026, to implement the fixes in their networks. Australia Warns of Global Campaign Targeting Vulnerable CMS Systems The disclosure comes as the Australian Cyber Security Centre (ACSC) issued an alert warning of a global exploitation campaign targeting various vulnerabilities in content management systems (CMS) and plugins. "As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy web shells, leveraging various vulnerabilities affecting CMS software and plugins," the agency said. "These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialization." Once deployed, the web shells serve as conduits for remote access and control of the targeted web servers. Some of the identified security vulnerabilities are listed below - Sneeit Framework (CVE-2025-6389) WPBookit (WordPress) (CVE-2025-7852) Gravity Forms (WordPress) (CVE-2025-12352) Craft CMS (CVE-2025-32432) Ninja Forms (WordPress) (CVE-2026-0740) MaxSite CMS (CVE-2026-3395) Breeze Cache (WordPress) (CVE-2026-3844) WavePlayer (WordPress) (CVE-2025-12057) MetInfo CMS (CVE-2026-29014) Joomla JCE (CVE-2026-48907) "This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations," ACSC said, adding "advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE CMS Security, cyberattack, exploit, Government security, Joomla, remote code execution, Vulnerability, Web Security, WordPress, Zero-Day ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- cve — CVE-2026-48939
- cve — CVE-2026-56291