Critical Joomla Zero-Day Vulnerabilities in iCagenda and Balbooa Forms Actively Exploited, CISA Issues Urgent Warning

joomla

CISA has issued an urgent warning after adding two critical Joomla vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The flaws affect the popular Joomla extensions iCagenda and Balbooa Forms and are reportedly being exploited as zero-day vulnerabilities in real-world attacks.

Both security flaws have received the maximum CVSS score of 10.0, highlighting the severe risk they pose to Joomla website owners. Security researchers have observed attackers actively exploiting these vulnerabilities to upload malicious files, gain remote access, and potentially take full control of vulnerable web servers.

The vulnerabilities identified by CISA are:

CVE-2026-48939 – iCagenda Arbitrary File Upload Vulnerability

This vulnerability affects the iCagenda extension for Joomla. Attackers can abuse the file attachment feature to upload arbitrary files, including malicious PHP scripts. Once uploaded, these files can be executed on the server, leading to remote code execution (RCE).

CVE-2026-56291 – Balbooa Forms Arbitrary File Upload Vulnerability

The second flaw impacts the Balbooa Forms extension. Similar to the iCagenda issue, attackers can upload malicious files to vulnerable websites and execute them remotely. This can allow complete compromise of the affected Joomla installation.

Because both vulnerabilities can be exploited without significant barriers, security experts consider them among the most dangerous types of web application flaws.

According to website management platform mySites.guru, attackers have been exploiting CVE-2026-48939 as a zero-day vulnerability since at least June 15, 2026.

Researchers discovered automated attacks targeting Joomla websites running the iCagenda extension. The vulnerability exists within the “Submit an Event” functionality, which allows users to submit events for inclusion in website calendars.

Security analysts reported that automated scanners were observed collecting security tokens, uploading malicious files, and then accessing those files immediately after deployment. This attack chain enabled attackers to place web shells on vulnerable servers and gain remote control of affected websites.

The following versions of iCagenda are vulnerable:

  • iCagenda 4.x up to and including version 4.0.7
  • Legacy iCagenda 3.x versions from 3.2.1 through 3.9.14

To address the issue, developer JoomliC has released patched versions:

  • iCagenda 4.0.8
  • iCagenda 3.9.15

Website administrators are strongly advised to update immediately and inspect the following directory for suspicious PHP files:

images/icagenda/frontend/attachments/

Any unexpected executable files found in this location should be investigated and removed.

Security researchers also identified active exploitation of CVE-2026-56291, a critical flaw affecting Balbooa Forms.

The vulnerability impacts Balbooa Forms versions up to and including version 2.4.0. According to researchers, the vulnerable upload mechanism accepted files from anonymous users without requiring authentication, CSRF protection, or proper file-type validation.

As a result, attackers could upload PHP files directly to publicly accessible directories and execute them remotely. This creates a straightforward path to unauthenticated remote code execution, allowing threat actors to compromise Joomla websites without needing valid credentials.

Balbooa has addressed the issue in:

  • Balbooa Forms version 2.4.1

The flaw was reportedly discovered after security experts observed a live attack against one of their customers on July 8, 2026.

Organizations using Balbooa Forms should immediately review their environments for signs of compromise.

Security experts recommend:

  • Checking the Balbooa Forms upload directory, typically located at images/baforms/uploads
  • Looking for PHP files or other unexpected executable content
  • Reviewing Joomla administrator accounts for suspicious additions
  • Auditing recently modified files across the website
  • Investigating unfamiliar PHP scripts or web shells

Early detection is critical because attackers often use uploaded web shells to establish persistence and maintain long-term access to compromised systems.

Due to active exploitation, CISA has instructed Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerabilities by July 13, 2026.

The inclusion of these flaws in the KEV Catalog signals that exploitation is confirmed and poses a significant threat to organizations. Security teams should treat these vulnerabilities as a high-priority patching requirement.

The Joomla vulnerability disclosures come at the same time as a new warning from the Australian Cyber Security Centre (ACSC).

The ACSC has reported a large-scale global cyber campaign targeting vulnerable Content Management Systems (CMS), plugins, and web applications. Attackers are actively scanning internet-facing websites for weaknesses that can be exploited to deploy web shells.

According to the agency, threat actors are focusing on vulnerabilities that enable:

  • Unauthenticated file uploads
  • Remote code execution
  • Server-Side Request Forgery (SSRF)
  • Insecure deserialization attacks

Once a web shell is installed, attackers can remotely access and control compromised servers, steal sensitive data, deploy malware, and move deeper into organizational networks.

cisa

The ACSC warning highlights several CMS and plugin vulnerabilities currently attracting attacker interest, including:

  • Sneeit Framework (CVE-2025-6389)
  • WPBookit for WordPress (CVE-2025-7852)
  • Gravity Forms for WordPress (CVE-2025-12352)
  • Craft CMS (CVE-2025-32432)
  • Ninja Forms for WordPress (CVE-2026-0740)
  • MaxSite CMS (CVE-2026-3395)
  • Breeze Cache for WordPress (CVE-2026-3844)
  • WavePlayer for WordPress (CVE-2025-12057)
  • MetInfo CMS (CVE-2026-29014)
  • Joomla JCE (CVE-2026-48907)

The growing list demonstrates how cybercriminals continue to target widely used CMS platforms and plugins to gain access to websites worldwide.

The ACSC also warned that advances in artificial intelligence are increasing the speed and scale of cyberattacks. Threat actors can now automate vulnerability discovery, scanning, and exploitation more efficiently than ever before.

As a result, the time between vulnerability disclosure and active exploitation continues to shrink. Organizations that delay patching even for a few days may find themselves exposed to automated attack campaigns.

The active exploitation of the iCagenda and Balbooa Forms vulnerabilities serves as another reminder of the importance of timely patch management. With both flaws receiving a critical CVSS score of 10.0 and confirmed zero-day exploitation, Joomla administrators should update affected extensions immediately.

Organizations should also perform thorough security reviews to identify potential indicators of compromise and ensure that malicious files have not already been deployed. As attackers increasingly automate exploitation efforts, maintaining up-to-date CMS software and plugins remains one of the most effective defenses against website compromise.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Scroll to Top