Skip to main content
Emerging Threats

CISA Warns of Exploited Flaws in Joomla Extensions

Web server setup under attack in a bright office environment.
“iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution,” CISA warns in its entry in the Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-48939: iCagenda arbitrary file upload and RCE

CISA lists CVE-2026-48939 as an arbitrary file upload flaw in the iCagenda extension for Joomla. iCagenda is used for registering and scheduling events and creating calendars. According to the agency, an attacker who exploits the flaw can upload arbitrary files to the web server — including PHP scripts — opening the door to data theft, web‑shell installation and complete website compromise via remote code execution (RCE).

The vendor patched the vulnerability in iCagenda with releases 4.0.8 and 3.9.15 on June 15–16, according to the advisory entry cited by CISA.

CVE-2026-56291: Balbooa Forms arbitrary file upload and RCE

The second KEV entry is CVE-2026-56291, an arbitrary file upload issue in Balbooa Forms, a drag‑and‑drop form builder for Joomla that supports file uploads for contact forms. CISA warns that the upload functionality can be abused to accept dangerous file types — such as executables — which can likewise lead to RCE and full website takeover.

Balbooa issued a fix for the problem in Balbooa Forms version 2.4.1, released on July 9, per the advisory information CISA included in the KEV catalog.

CISA classifies the flaws as maximum priority and orders a three‑day fix

Both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog and assigned the agency’s maximum priority level. CISA ordered federal agencies to apply available security updates and/or mitigations within three days — a deadline the advisory says was “set for today.” The KEV listing is an explicit directive to federal civilian agencies to prioritize these patches or deploy mitigations immediately.

Observed exploitation: automated attacks and a reported zero‑day

Website management and security platform mySites.guru reported that both flaws were actively exploited in automated attacks before vendors released patches. For iCagenda, mySites.guru observed attacks just a few hours before the release of version 4.0.8 that remediated CVE-2026-48939. For Balbooa Forms, mySites.guru says the CVE-2026-56291 vulnerability was exploited as a zero‑day, used in attacks beginning on July 8 — one day prior to the vendor’s July 9 fix.

Those observations are cited by CISA in the KEV entries and are the basis for the agency’s urgent prioritization.

What this means for website administrators and security teams

  • Administrators running Joomla sites should immediately check for the presence of the iCagenda and Balbooa Forms extensions and verify version numbers; the fixes are in iCagenda 4.0.8 and 3.9.15 (released June 15–16) and Balbooa Forms 2.4.1 (released July 9).
  • Where patching cannot be completed immediately, teams should apply any available mitigations and monitor for signs of web‑shell installation, unexpected PHP files on web servers, or unexplained data exfiltration — outcomes specifically warned about by CISA.

The technical facts are stark and specific: two Joomla extensions had file‑upload weaknesses that could be turned into remote code execution, both were observed in automated exploitation before public fixes, and CISA has ordered rapid action by federal agencies. The deadline imposed by the KEV entry underscores the agency’s assessment of imminent risk; for site owners and defenders, the immediate step is practical and narrow — confirm whether these extensions are present, confirm versions, and apply the vendor patches or mitigations now.

Source: BleepingComputer — CISA warns of actively exploited RCE flaws in Joomla extensions