PROBABLYPWNED
VulnerabilitiesJuly 13, 20264 min read

Joomla iCagenda, Balbooa Forms Flaws Exploited as Zero-Days

CISA adds CVE-2026-48939 and CVE-2026-56291 to KEV after attackers weaponized iCagenda and Balbooa Forms file upload bugs before patches existed. Federal deadline is July 13.

Marcus Chen

Two more Joomla extension vulnerabilities landed in CISA's Known Exploited Vulnerabilities catalog on July 10, both carrying maximum CVSS 10.0 ratings and both exploited as zero-days before vendors could release patches. Attackers appear to have discovered and weaponized these flaws independently, deploying PHP web shells through trivially exploitable file upload endpoints.

This marks the fourth and fifth Joomla plugin vulnerabilities added to the KEV catalog this summer, following the JCE Content Editor flaw in June and the Page Builder CK and SP Page Builder bugs added earlier this week. The pattern is clear: Joomla's extension ecosystem has become a reliable hunting ground for attackers seeking initial access to web servers.

iCagenda: Attackers Beat the Patch by Hours

CVE-2026-48939 affects iCagenda, an event registration and calendar extension used on thousands of Joomla sites. The vulnerability exists in the "Submit an Event" form's file attachment feature, which fails to validate uploaded file types, allowing attackers to upload and execute PHP scripts.

According to mySites.guru, exploitation began on June 15—the same day JoomliC released patches. Researchers observed automated scanners identifying themselves as icagenda-batch/1.0 hitting vulnerable endpoints, grabbing CSRF tokens, uploading malicious PHP files, and immediately fetching their planted shells.

"An automated scanner grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell," mySites.guru researchers noted. The speed suggests attackers had pre-built exploit code ready before disclosure.

Affected versions: iCagenda 4.x up to 4.0.7 and legacy 3.x from 3.2.1 through 3.9.14

Patched versions: 4.0.8 and 3.9.15 (released June 15-16)

IOC check: Look for suspicious PHP files in /images/icagenda/frontend/attachments/

Balbooa Forms: Exploited One Day Before Patch

CVE-2026-56291 hits Balbooa Forms, a drag-and-drop form builder extension with built-in file upload capabilities. The vulnerability requires no authentication, no CSRF token, and enforces no file type validation whatsoever. Any anonymous visitor can upload a PHP file and execute it on the server.

Attackers began exploiting this flaw on July 8, one day before the vendor released version 2.4.1 with a fix. The timeline strongly suggests someone was actively hunting for vulnerabilities in Joomla form extensions and beat responsible disclosure to the punch.

Affected versions: Balbooa Forms 2.4.0 and earlier

Patched version: 2.4.1 (released July 9)

IOC check: Examine /images/baforms/uploads/ for non-document or non-image files, especially anything with a .php extension

Federal Deadline Already Here

CISA set a three-day remediation window in accordance with BOD 26-04, giving Federal Civilian Executive Branch agencies until July 13 to patch. That deadline hits today. Organizations still running vulnerable versions are already behind the curve.

The compressed timeline reflects the severity of unauthenticated file upload vulnerabilities. Unlike flaws requiring attacker-controlled input or victim interaction, these bugs are trivially exploitable at scale. Automated scanners can test thousands of sites per hour, identify vulnerable endpoints, and deploy web shells within minutes. We've seen the same rapid weaponization pattern with the Zimbra XSS vulnerability disclosed last week—attackers are not waiting for proof-of-concept code to mature.

What to Do Now

Administrators should take immediate action:

  1. Check extension versions via the Joomla administrator panel under Extensions > Manage
  2. Update iCagenda to 4.0.8 (or 3.9.15 for legacy installs) and Balbooa Forms to 2.4.1
  3. Hunt for web shells in the IOC paths listed above—grep for <?php, eval(, base64_decode, and system(
  4. Audit administrator accounts for any unauthorized additions created after June 15
  5. Review recent file modifications across the webroot, not just the extension directories

Updating closes the entry point but does not remediate existing compromises. If attackers dropped a shell before you patched, the shell persists—a lesson reinforced by the npm supply chain attack on Injective Labs where compromised packages persisted in builds long after removal from the registry. Consider a full site scan using tools like maldet or ClamAV, or a manual review of recently modified PHP files.

Why Joomla Extensions Keep Getting Hit

Joomla's core has held up reasonably well against attackers. The extensions are another story. Third-party plugins often lack the security review processes found in enterprise software, and file upload functionality is notoriously difficult to implement safely. The result: a steady stream of maximum-severity bugs in components that handle user-submitted content.

The WordPress ecosystem faces similar challenges—we recently covered an operation that planted web shells on 25,000 WordPress sites through plugin vulnerabilities. For CMS administrators, the lesson is consistent: treat extensions as potential attack surface and minimize installed plugins to only what is actively needed.

Organizations running Joomla in production should establish a process for monitoring CISA's KEV feed and extension security advisories. By the time these flaws hit the catalog, exploitation is already widespread.

Related Articles