Skip to main content
Emerging Threats

Attackers Exploit Joomla Extension Bugs with Perfect 10 Scores

Attackers Exploit Joomla Extension Bugs with Perfect 10 Scores

Both vulnerabilities carry the maximum CVSS score of 10 and let attackers upload files that can be executed as PHP on the server — handing over remote control of affected sites.

CISA adds CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities catalog

The Cybersecurity and Infrastructure Security Agency has added two critical Joomla extension flaws to its Known Exploited Vulnerabilities (KEV) catalog after confirming in-the-wild attacks. CISA listed CVE-2026-48939, which affects the iCagenda events calendar extension, and CVE-2026-56291, which affects Balbooa Forms, a form builder used for contact requests, registrations, surveys and file uploads. Federal civilian agencies were ordered to patch against the flaws under the agency’s vulnerability management directive.

How attackers exploited iCagenda's attachment feature

Researchers said the iCagenda bug lets an attacker upload a malicious PHP file through the extension’s attachment feature, turning an apparently straightforward file upload into remote code execution. Security firm mySites.guru reported spotting attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid‑June. The attacks targeted the extension’s “Submit an Event” feature, which allows site visitors to contribute events to a site calendar; researchers observed automated scanning for vulnerable installations followed by the dropping of web shells onto compromised servers.

Balbooa Forms: anonymous frontend uploads, no CSRF or file-type checks

Balbooa Forms contained a similar failure: its frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types, researchers said. That combination made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. The flaw was uncovered while researchers investigated an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned exploitation continues against sites that have not yet updated.

Patch availability, attack timeline, and active exploitation

There is a clear split between fixes being released and attacks already underway. iCagenda patches (4.0.8 and 3.9.15) were published in mid‑June after mySites.guru observed exploitation activity; Balbooa issued version 2.4.1 on July 9 following the researcher investigation. Despite the availability of patches, researchers reported that exploitation is continuing against sites that have not applied updates — a reminder, in the researchers’ words, that “the attackers didn't wait around for release notes.”

What this means for federal civilian agencies, Joomla site operators, and extension developers

  • Federal civilian agencies: CISA has placed both CVEs on the KEV catalog and ordered patching under its vulnerability management directive, making remediation an immediate compliance requirement for affected federal sites.
  • Joomla site operators and administrators: Sites that use iCagenda or Balbooa Forms — and Joomla in general, which powers roughly 1.2 percent of all websites, or around a million sites worldwide — should prioritize applying the available updates to stop ongoing exploitation and remove any web shells or backdoors dropped by attackers.
  • Extension developers and third‑party maintainers: The incidents illustrate risks created when frontend upload endpoints lack authentication, CSRF protections, or file‑type validation; developers should review upload handling and release patches promptly when flaws are discovered.

The fixes are already available, but the record here is stark: attackers found and exploited the defects before or immediately after vendors pushed updates, and exploitation is ongoing where administrators have not yet applied patches. The immediate, concrete step for affected sites is straightforward — install the iCagenda and Balbooa updates and check for indicators of compromise — but the broader, unanswered operational question is how many of the roughly one million Joomla installations using third‑party extensions remain exposed.

Original story: https://www.theregister.com/security/2026/07/14/baddies-caught-exploiting-extensions-bugs-with-perfect-10-scores-on-vulnerable-joomla-websites/5271001