- U.S. CISA added two maximum-severity Joomla extension flaws to its Known Exploited Vulnerabilities (KEV) catalog after zero-day attacks in the wild.
- Both vulnerabilities—CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms—allow unauthenticated file upload leading to remote code execution.
- Exploitation of the iCagenda flaw began as early as June 15, 2026, and the Balbooa flaw was discovered by mySites.guru on July 8 following a live attack on a customer.
- Patches are available for both extensions; Federal agencies must apply fixes by July 13, 2026.
- The Australian Cyber Security Centre (ACSC) also warned of a global campaign targeting vulnerable CMS systems and plugins.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws affecting iCagenda and Balbooa extensions for Joomla to its KEV catalog following reports of zero-day exploitation in the wild. Both vulnerabilities, rated 10.0 on the CVSS scoring system, allow arbitrary file upload leading to remote code execution.
According to mySites.guru, CVE-2026-48939 in iCagenda has been exploited as a zero-day since June 15, 2026, in automated attacks targeting Joomla sites with the extension installed. The flaw resides in the “Submit an Event” form, where attackers can upload malicious PHP files.
“We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell,” mySites.guru said. The iCagenda vulnerability affects versions 4.x up to 4.0.7 and legacy 3.x from 3.2.1 to 3.9.14.
Patches have been released in iCagenda versions 4.0.8 and 3.9.15, and site owners are advised to remove suspicious PHP files from the attachments folder. Meanwhile, CVE-2026-56291 in Balbooa Forms affects versions up to 2.4.0 and has been patched in version 2.4.1.
“Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type,” mySites.guru said. The vulnerability was discovered on July 8, 2026, after a live attack on a customer.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies must implement fixes by July 13, 2026. Additionally, the Australian Cyber Security Centre (ACSC) warned of a global campaign targeting vulnerable CMS software and plugins. “This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations,” ACSC said, adding that advances in AI are accelerating the speed and scale of cyber operations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
