Joomla iCagenda, Balbooa Forms Flaws Exploited as Zero-Days
CISA adds CVE-2026-48939 and CVE-2026-56291 to KEV after attackers weaponized iCagenda and Balbooa Forms file upload bugs before patches existed. Federal deadline is July 13.
Two more Joomla extension vulnerabilities landed in CISA's Known Exploited Vulnerabilities catalog on July 10, both carrying maximum CVSS 10.0 ratings and both exploited as zero-days before vendors could release patches. Attackers appear to have discovered and weaponized these flaws independently, deploying PHP web shells through trivially exploitable file upload endpoints.
This marks the fourth and fifth Joomla plugin vulnerabilities added to the KEV catalog this summer, following the JCE Content Editor flaw in June and the Page Builder CK and SP Page Builder bugs added earlier this week. The pattern is clear: Joomla's extension ecosystem has become a reliable hunting ground for attackers seeking initial access to web servers.
iCagenda: Attackers Beat the Patch by Hours
CVE-2026-48939 affects iCagenda, an event registration and calendar extension used on thousands of Joomla sites. The vulnerability exists in the "Submit an Event" form's file attachment feature, which fails to validate uploaded file types, allowing attackers to upload and execute PHP scripts.
According to mySites.guru, exploitation began on June 15—the same day JoomliC released patches. Researchers observed automated scanners identifying themselves as icagenda-batch/1.0 hitting vulnerable endpoints, grabbing CSRF tokens, uploading malicious PHP files, and immediately fetching their planted shells.
"An automated scanner grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell," mySites.guru researchers noted. The speed suggests attackers had pre-built exploit code ready before disclosure.
Affected versions: iCagenda 4.x up to 4.0.7 and legacy 3.x from 3.2.1 through 3.9.14
Patched versions: 4.0.8 and 3.9.15 (released June 15-16)
IOC check: Look for suspicious PHP files in /images/icagenda/frontend/attachments/
Balbooa Forms: Exploited One Day Before Patch
CVE-2026-56291 hits Balbooa Forms, a drag-and-drop form builder extension with built-in file upload capabilities. The vulnerability requires no authentication, no CSRF token, and enforces no file type validation whatsoever. Any anonymous visitor can upload a PHP file and execute it on the server.
Attackers began exploiting this flaw on July 8, one day before the vendor released version 2.4.1 with a fix. The timeline strongly suggests someone was actively hunting for vulnerabilities in Joomla form extensions and beat responsible disclosure to the punch.
Affected versions: Balbooa Forms 2.4.0 and earlier
Patched version: 2.4.1 (released July 9)
IOC check: Examine /images/baforms/uploads/ for non-document or non-image files, especially anything with a .php extension
Federal Deadline Already Here
CISA set a three-day remediation window in accordance with BOD 26-04, giving Federal Civilian Executive Branch agencies until July 13 to patch. That deadline hits today. Organizations still running vulnerable versions are already behind the curve.
The compressed timeline reflects the severity of unauthenticated file upload vulnerabilities. Unlike flaws requiring attacker-controlled input or victim interaction, these bugs are trivially exploitable at scale. Automated scanners can test thousands of sites per hour, identify vulnerable endpoints, and deploy web shells within minutes. We've seen the same rapid weaponization pattern with the Zimbra XSS vulnerability disclosed last week—attackers are not waiting for proof-of-concept code to mature.
What to Do Now
Administrators should take immediate action:
- Check extension versions via the Joomla administrator panel under Extensions > Manage
- Update iCagenda to 4.0.8 (or 3.9.15 for legacy installs) and Balbooa Forms to 2.4.1
- Hunt for web shells in the IOC paths listed above—grep for
<?php,eval(,base64_decode, andsystem( - Audit administrator accounts for any unauthorized additions created after June 15
- Review recent file modifications across the webroot, not just the extension directories
Updating closes the entry point but does not remediate existing compromises. If attackers dropped a shell before you patched, the shell persists—a lesson reinforced by the npm supply chain attack on Injective Labs where compromised packages persisted in builds long after removal from the registry. Consider a full site scan using tools like maldet or ClamAV, or a manual review of recently modified PHP files.
Why Joomla Extensions Keep Getting Hit
Joomla's core has held up reasonably well against attackers. The extensions are another story. Third-party plugins often lack the security review processes found in enterprise software, and file upload functionality is notoriously difficult to implement safely. The result: a steady stream of maximum-severity bugs in components that handle user-submitted content.
The WordPress ecosystem faces similar challenges—we recently covered an operation that planted web shells on 25,000 WordPress sites through plugin vulnerabilities. For CMS administrators, the lesson is consistent: treat extensions as potential attack surface and minimize installed plugins to only what is actively needed.
Organizations running Joomla in production should establish a process for monitoring CISA's KEV feed and extension security advisories. By the time these flaws hit the catalog, exploitation is already widespread.
Related Articles
CISA Adds 4 CVEs to KEV: Joomla, ColdFusion Under Active Attack
CISA adds four actively exploited vulnerabilities to KEV catalog including two max-severity Joomla plugin flaws and Adobe ColdFusion CVE-2026-48282. Federal deadline is July 10.
Jul 9, 2026Qilin Ransomware Exploits Check Point VPN Zero-Day Since Early May
CVE-2026-50751 allows unauthenticated VPN access via IKEv1 certificate validation flaw. CISA gave federal agencies three days to patch after linking attacks to ransomware affiliate.
Jun 24, 2026CISA Orders Patch for CVSS 10 Joomla JCE Flaw by June 19
CVE-2026-48907 in Joomla Content Editor allows unauthenticated attackers to upload and execute PHP code. CISA added it to the KEV catalog after active exploitation deploying web shells.
Jun 18, 2026Second Cisco SD-WAN Zero-Day Hits CISA KEV in Two Weeks
CVE-2026-20262 joins CVE-2026-20245 on CISA's exploited vulnerabilities list. Attackers deploy malicious .war files via path traversal to gain root access on Catalyst SD-WAN Manager.
Jun 17, 2026