CISA added two maximum-severity vulnerabilities affecting popular Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog on July 10, 2026, with a federal agency patch deadline of July 13, 2026 — today. Both flaws are rated CVSS 10.0 and allow a completely unauthenticated remote attacker to upload a PHP file to a publicly accessible directory and execute arbitrary code on the underlying server.

  • CVE-2026-48939 — iCagenda (Joomla event calendar extension): an unvalidated file upload in the “Submit an Event” form’s attachment feature. Exploited as a zero-day in automated attacks since June 15, 2026. Fixed in iCagenda 4.0.8 (for the 4.x branch) and 3.9.15 (for legacy 3.x).
  • CVE-2026-56291 — Balbooa Forms (Joomla form builder extension): an unauthenticated file upload via the frontend attachment endpoint — no login, no CSRF token, no file-type validation. A live attack on a real customer was observed on July 8, 2026. Fixed in Balbooa Forms 2.4.1.

Both extensions are widely deployed across self-hosted Joomla websites, CMS installations managed by web agencies, and public-sector portals. If your Joomla site uses either extension and has not been patched, an automated scanner may already have deployed a web shell to your server.

What the Vulnerabilities Are

CVE-2026-48939 — iCagenda Unrestricted File Upload

iCagenda is an open-source event management extension for Joomla. It provides a public-facing “Submit an Event” form that allows site visitors to propose new calendar events — including uploading file attachments as supporting documentation.

The vulnerability is in that attachment upload handler. iCagenda accepts the uploaded file without validating its content type or extension, then writes it to a predictable path inside the web root:

images/icagenda/frontend/attachments/<filename>

Because this path is publicly accessible and the server will execute .php files, any unauthenticated visitor can upload a PHP web shell through the event submission form and then fetch it directly to run arbitrary commands on the server as the web server user.

According to mySites.guru — a cloud-based dashboard for managing WordPress and Joomla sites that was monitoring client access logs — exploitation has been fully automated:

“We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to.”

The automated campaign appears to have begun running on or around June 15, 2026 — nearly a month before CISA added the flaw to its KEV catalog.

Affected versions:

  • iCagenda 4.x up to and including 4.0.7
  • iCagenda 3.x from 3.2.1 up to and including 3.9.14

Fixed versions:

  • iCagenda 4.0.8
  • iCagenda 3.9.15

CVE-2026-56291 — Balbooa Forms Unauthenticated File Upload

Balbooa Forms is a commercial form builder extension for Joomla that lets site administrators create advanced web forms — contact forms, registration forms, file upload forms — without custom code. Its frontend attachment upload endpoint has a critical flaw.

According to mySites.guru, the vulnerability is strikingly simple: the upload endpoint accepts files from any anonymous visitor — no login, no CSRF token, and no check on the file type. An attacker submits a PHP file, the server writes it to the Balbooa Forms upload folder, and the attacker fetches it to run code:

“Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type. An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have.”

The default upload path is: images/baforms/uploads/

The flaw was discovered on July 8, 2026 by mySites.guru researchers after a live attack on one of their managed customers.

Affected versions:

  • Balbooa Forms 2.4.0 and all prior versions

Fixed versions:

  • Balbooa Forms 2.4.1

Why It Matters

CVSS 10.0 — The Maximum Score

Both CVEs carry the highest possible CVSS score: 10.0 out of 10.0. The scoring reflects the worst possible combination of characteristics: the attack requires no authentication, no user interaction, no special privileges, and works over the network. The consequence is full remote code execution on the web server.

Active Zero-Day Exploitation

The iCagenda flaw (CVE-2026-48939) has been exploited in automated attacks since at least June 15, 2026 — nearly four weeks before the patch was released and CISA added it to KEV. During that window, any Joomla site running iCagenda with the event submission form enabled was silently scanned and potentially compromised by an automated tool that is explicitly named in access logs as icagenda-batch/1.0. If you have been running a vulnerable version since mid-June, you should treat the investigation steps below as an active incident response, not just routine patching.

The Balbooa Forms flaw (CVE-2026-56291), while discovered more recently, was identified only after a live attack was observed on a real customer site — meaning it too was being exploited before public disclosure.

Global Campaign Targeting CMS Extensions

The Australia Cyber Security Centre (ACSC) separately issued an advisory in July 2026 warning of a large-scale global campaign targeting CMS vulnerabilities — specifically unauthenticated file upload and remote code execution flaws in Joomla extensions, WordPress plugins, and other web CMS components — to deploy web shells. The iCagenda and Balbooa Forms flaws fit precisely into that campaign pattern. Adversaries are running fully automated scanners against the public internet, harvesting web shells from any site running unpatched vulnerable extensions.

The “CISA KEV” Signal

When CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog, it is declaring — based on observed threat intelligence — that the vulnerability is being actively exploited in the wild. The July 13, 2026 federal agency deadline means the U.S. government considers these flaws serious enough to require immediate remediation from all federal agencies. Private sector organizations and self-hosted Joomla administrators should apply the same urgency.

Am I Affected?

iCagenda (CVE-2026-48939)

You are affected if:

  1. Your Joomla site has the iCagenda extension installed and enabled
  2. The “Submit an Event” / event submission feature is publicly accessible (enabled for frontend users)
  3. You are running iCagenda 4.0.7 or earlier, or iCagenda 3.x from 3.2.1 to 3.9.14

To check your iCagenda version: log in to the Joomla Administrator backend, go to Extensions → Manage → Manage, and search for “iCagenda”. The version number will appear in the list.

If you are on the 4.x branch and see 4.0.7 or lower, you need to upgrade to 4.0.8. If you are on the 3.x branch and see any version from 3.2.1 to 3.9.14, you need to upgrade to 3.9.15.

Balbooa Forms (CVE-2026-56291)

You are affected if:

  1. Your Joomla site has the Balbooa Forms extension installed and enabled
  2. Any form on the site has file attachment upload enabled for public/frontend users
  3. You are running Balbooa Forms 2.4.0 or earlier

To check your Balbooa Forms version: Joomla Admin → Extensions → Manage → Manage → search for “Balbooa Forms” or “baforms”.

What to Do About It

Step 1: Patch Immediately

iCagenda:

  1. Log in to your Joomla administrator backend
  2. Go to Extensions → Update and check for available updates
  3. Update iCagenda to version 4.0.8 (4.x users) or 3.9.15 (legacy 3.x users)
  4. Alternatively, download the update package from the JoomliC official site: https://www.joomlic.com/news/icagenda-security-update
  5. Confirm the installed version after update

Balbooa Forms:

  1. Go to Extensions → Update in your Joomla backend
  2. Update Balbooa Forms to version 2.4.1
  3. Official changelog: https://www.balbooa.com/help/joomla-forms-documentation/basics/changelog
  4. Confirm the installed version after update

Step 2: Check for Web Shells (Treat as Incident Response If Unpatched Since June 15)

If your site ran iCagenda 4.0.7 or earlier any time after June 15, 2026 — or ran Balbooa Forms 2.4.0 or earlier after July 8, 2026 — you must check for planted web shells before returning the site to full trust:

iCagenda upload folder:

# From your site root, scan for PHP files in the attachments folder:
find images/icagenda/frontend/attachments/ -name "*.php" -type f
find images/icagenda/frontend/attachments/ -name "*.php*" -type f

Any .php file in that folder is a planted web shell. Delete it immediately and rotate all credentials on the server.

Balbooa Forms upload folder:

# Scan for PHP or executable files in the Balbooa uploads folder:
find images/baforms/uploads/ -name "*.php" -type f
find images/baforms/uploads/ -type f ! -name "*.jpg" ! -name "*.jpeg" \
  ! -name "*.png" ! -name "*.gif" ! -name "*.pdf" ! -name "*.doc" \
  ! -name "*.docx" ! -name "*.xls" ! -name "*.xlsx" ! -name "*.zip"

Check the Joomla user list for backdoor admin accounts:

# MySQL — look for recently created super-admin accounts:
mysql -u <db_user> -p <db_name> -e "
  SELECT u.id, u.name, u.username, u.email, u.registerDate, u.lastvisitDate
  FROM jos_users u
  JOIN jos_user_usergroup_map m ON u.id = m.user_id
  JOIN jos_usergroups g ON m.group_id = g.id
  WHERE g.title = 'Super Users'
  ORDER BY u.registerDate DESC
  LIMIT 20;"

(Replace jos_ with your actual Joomla table prefix if it differs.)

Look for recently modified PHP files across the entire Joomla installation:

find /path/to/joomla -name "*.php" -newer images/icagenda/frontend/attachments \
  -not -path "*/administrator/*" -not -path "*/components/*" \
  -not -path "*/libraries/*" | head -40

Any recently modified .php files outside of normal update paths warrant manual review.

Check your web server access logs for requests hitting the upload paths and for any .php file in the upload directories being fetched:

grep "icagenda/frontend/attachments.*\.php" /var/log/nginx/access.log
grep "baforms/uploads.*\.php" /var/log/nginx/access.log
grep "icagenda-batch" /var/log/nginx/access.log

Step 3: Harden Going Forward

  • If you do not actively use the iCagenda “Submit an Event” public form, disable or restrict it in the iCagenda backend settings after patching
  • For Balbooa Forms, review every form that has file upload enabled and restrict accepted MIME types and extensions to only what is required for each form’s purpose
  • Consider a Web Application Firewall (WAF) rule blocking uploads of .php, .php3, .php4, .php5, .phtml, .phar files to any public upload endpoint
  • Monitor the upload directories for unexpected file types — add server-side deny from all or a location block in your NGINX/Apache config to prevent PHP execution within the upload directories:
# NGINX: Prevent PHP execution in Joomla upload folders
location ~* ^/images/.*\.(php|php3|php4|php5|phtml|phar)$ {
    deny all;
    return 403;
}

Quick-Win Checklist

  • Log in to Joomla Admin → Extensions → Manage → Manage and confirm iCagenda version
  • If iCagenda ≤4.0.7 or 3.x ≤3.9.14: update to 4.0.8 / 3.9.15 immediately
  • Log in to Joomla Admin and confirm Balbooa Forms version
  • If Balbooa Forms ≤2.4.0: update to 2.4.1 immediately
  • Run: find images/icagenda/frontend/attachments/ -name "*.php" — any output = web shell found
  • Run: find images/baforms/uploads/ -name "*.php" — any output = web shell found
  • Query your database for super-admin accounts created after June 10, 2026
  • Grep your web server access logs for icagenda-batch user-agent string
  • Add NGINX/Apache deny rule for PHP execution in all image/upload directories
  • Consider temporarily disabling the iCagenda public event submission form if it is not essential
  • If any web shell or suspicious admin account was found: rotate all database credentials, hosting credentials, Joomla admin passwords, and FTP/SSH access keys

Sources